Terror EK via Malvertising delivers Tofsee Spambot

/ zerophage

Summary:

This was a great find, Terror EK in the wild from malvertising. The landing page appeared to be in the compromised site itself and was not loaded from an iframe, etc. The site just displayed jibberish (Lorem Ipsum). The EK used three Flash files, attempted a Silverlight exploit and triggered several interesting ET signatures. There was also almost no obfuscation of the code as well.

The payload was Tofsee and a thanks goes to @Antelox for confirming it. Tofsee is a spambot known to send spam emails. It has been dropped by Rig EK in the past. I did not see much email traffic however I was using a proxy which may have caused some traffic to not be logged.

Anyway this is a great find and I hope you can gain a lot of information from it.

Background Information:

A few articles and samples on Terror exploit kit:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit–More-like-Error-Exploit-Kit/

http://www.broadanalysis.com/2016/06/13/rig-exploit-kit-from-5-200-55-156-sends-tofsee-spambot/

Article on Tofsee:

https://www.cert.pl/en/news/single/tofsee-en/

Downloads

  • 230317TerrorTofsee-> Contains pcapng, payloads and flash files in password protected zip.

Notable Details:

  • 52.29.235.194 – eu4.echo-ice.com- Part of  a malvertising chain
  • 173.208.245.114 – paydayloanservice.net – Part of a malvertising chain
  • 128.199.233.119 –  Terror EK Traffic
  • 103.48.6.14– Tofsee Post Infection
  • 111.121.193.242 –  Tofsee Post Infection
  • Payload was Tofsee Spambot (rad6AC11.tmp.exe created kxuepssx.exe)

Details of infection chain:

(click to enlarge!)

TerrorEK-Tofsee.png

Terror EK via malvertising drops Tofsee spambot. I have added the IP addresses in here manually. The PCAP uses a proxy IP.

Full Details:

  • The malvertising chain let to a website that contained jibberish but also hosted the entire landing page with little to no attempt to obfuscate it. Below is a snippet:LandingPageT1
  • Terror EK uses a variety of exploits and has three different Flash files. The Flash files had not been uploaded to VT before for over a year.
  • SHA256: d7919a2c2a03e96200858fe2c8a405af1ae40f0590937f9a1a8b076f1d341c27
    File name: dafsg.swf
    Detection ratio: 34 / 56
  • SHA256: 55eea72f4fdf639987fc80789040dc1e98091c4adf8f30aebaba86d15f3aae06
    File name: oiuhygnjda.swf
    Detection ratio: 27 / 56
  • SHA256: 6e16ddfcf4c5f557f0f64ee8a4f16741e79dbe29acb43eccab87329116e88b9e
    File name: wdioj124.swf
    Detection ratio: 21 / 56
  • The payload was Tofsee, thanks to @Antelox for confirming this. It actually dropped two payloads but they both had the same hash despite one having the old style “rad” naming.
    SHA256: db04e22734b479bb49e55ab362f1a1c0378d7952ff7b6e3fe7916a11c3e6c84f
    File name: Carciofo.exe
    Detection ratio: 16 / 61
    Invincea backdoor.win32.tofsee.f
  • SHA256: 99d639df944351a1c77279ca0da31d80ce9e9d5a3bde1850a1ffca10dcc0f6c9
    File name: kxuepssx.exe
    Detection ratio: 10 / 61
    Invincea backdoor.win32.tofsee.f
  • Tofsee added itself to startup, listened on random ports and began to send emails.
  • tofseeexe
  • ET SignaturesETTerror

One thought on “Terror EK via Malvertising delivers Tofsee Spambot

  1. Pingback: Terror EK delivers BitCoin Miner | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s