Tofsee is a botnet which has not been reported on since the following analysis in September of 2016 by the Cert Polka team and Cisco Talos. This updated campaign employs new techniques in order to aggressively send large volumes of spam emails primarily targeting the adult dating scene. This new variant of Tofsee uses a crypto-mining client to call back and participate in mining activities for the Haven Protocol (XHV) crypto currency. This crypto-mining activity shows a steady 10,000 active connections to a particular mining pool over a 24 hour period during the initial analysis. Related variants also perform crypto mining for the BitTube (TUBE) privacy coin. At the time of analysis, there are 49 samples found in VirusTotal that incorporate the crypto-mining aspect of this new variant, the oldest dated October 29 2019. The oldest compilation timestamp dates back to January 13 2019, suggesting that this variant may have been in use for almost an entire year.
Behavioral Summary
The TTP’s for this particular sample discussed in this report, are displayed within CB Defense as shown below.
Details
When the dropper is first executed, it starts by unpacking itself into %TEMP%\abcdefgh.exe using a randomly generated 8-character filename. The binary then proceeds to spawn additional processes in order to execute the following commands.
Process |
Command |
Description |
cmd.exe |
“C:\Windows\System32\cmd.exe” /C mkdir C:\Windows\system32\abcdefgh\ |
Creates subdirectory under Windows\System32 |
cmd.exe |
“C:\Windows\System32\cmd.exe” /C move /Y “C:\Users\<user>\AppData\Local\Temp\abcdefgh.exe” C:\Windows\system32\abcdefgh\ |
Moves unpacked PE file into newly created sub-directory |
sc.exe |
“C:\Windows\System32\sc.exe” create abcdefgh binPath= “C:\Windows\system32\abcdefgh\abcdefgh.exe /d\”C:\Users\<user>\Desktop\original_binary.exe\”” type= own start= auto DisplayName= “wifi support” |
Creates new service for persistence |
sc.exe |
C:\Windows\System32\sc.exe” description abcdefgh “wifi internet conection” |
Masquerades service name |
sc.exe |
“C:\Windows\System32\sc.exe” start abcdefgh |
Starts service |
netsh.exe |
“C:\Windows\System32\netsh.exe” advfirewall firewall add rule name=”Host-process for services of Windows” dir=in action=allow program=”C:\Windows\system32\svchost.exe” enable=yes>nul |
Creates Windows Firewall rule for svchost.exe |
The unpacked binary contains a ShellExecute command which is designed to launch cmd.exe and create a process named wusa.exe using the username “uac”, domain “is”, and password of “useless”. It is worth noting that this process was not observed during analysis, however the process name masquerades as the legitimate Windows Update Standalone Installer executable.
The folder containing the unpacked malware (which uses a randomly generated 8-character filename e.g. abcdefgh.exe) has its permissions set to read-only, and ownership of the folder is changed to System so as to avoid viewing or making changes to the folder and binary within it. Once the newly created Windows service starts up, the unpacked binary deletes the original dropper. It then injects into one child svchost.exe process, which further inject into two additional svchost.exe child processes (this may vary depending on the OS version).
If Windows Defender is present, a registry key is created in order to exclude the path of the unpacked malware binary under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. The main responsibility of the svchost.exe processes is to make an outbound connection to the C2 address via port 443 to an IP address registered to a domain located in Hong Kong, as shown in the IOCs section towards the end of this report. Once successfully contacted, it downloads the botnet configuration which is saved as an Alternate Data Stream either in C:\windows\system32\config\ or C:\windows\syswow64\config\ as systemprofile:.repos. The screenshot below shows the Alternate Data Stream being populated during runtime.
Below is a snippet of the first 256 bytes of systemprofile:.repos output, which eventually ends up as 3 MB of raw data.
The same configuration data taken from the Alternate Data Stream is written into the Windows Registry under HKEY_USERS\.DEFAULT\Control Panel\Buses, writing across the Config0, Config1, and Config2 registry keys.
The injected svchost.exe process then continues to make outbound connections to numerous IP’s and domains, connecting primarily to ports 25, 80, or 443. The HTTP/80 network traffic connects to the mail.yahoo.com domain. A further examination of the SMTP/25 network traffic shows clear signs the victim host acting as an SMTP relay in order to send spam email. The vast majority of the emails contain similar verbiage in the email subject and body, and contain different variations of a link which mostly goes back to the same web site, a low-tech Russian dating site. The TLD for the URL however is .cn (China). While the dating site appears very basic with a simple form to register, it does include a paid Yandex Metrica javascript embedded in the homepage in order to track site visitors including their mouse movement and behaviours relating to their site visit. An example HTML email is shown below.
Due to the sheer volume of phishing emails sent over SMTP certain providers block some of the emails from being sent, such as Google Mail, Yahoo and Spamhaus. Alternatively, some emails are rejected by other providers, or the originating IP address where the spam email is sent from is added to certain blacklists.
Crypto Miner:
If the malware is executed in a Windows 7 environment, an outbound connection is made to a mining pool using a crypto miner that has similar traits to the XMRig family of malware, with the command:
svchost.exe --algo=cn-heavy/xhv -o pool.xhv.semipool.com:22284 -u <wallet_address>+50000 -p x -k
The following information which summarises the Haven cryptocurrency is taken from a Blockonomi report:
Haven is a coin based on Monero, so it inherits Monero’s privacy aspects such as RingCT and stealth addresses. The Goal of Haven, is to make a system where one can trade their Haven for stable coins in different currencies (USD, EUR etc) This allows people to store funds that are stable and anonymous, unlike other stable coins that are not anonymous. Haven uses a modified version of the cryptonight heavy algorithm.
A quick search on this mining pool quickly brings us to a dashboard which has over 11,000 connections at the time of writing.
Drilling into the port list, we can quickly see that the majority of miners are connected to port 22284, the same port observed during our analysis. During the time of analysis, over a 24 hour period, there were a minimum of 10,000 active connections at any one time to this mining pool on port 22284, and the connection count fluctuated between 10,000 and 12,000 connections at any one time.
Using the wallet address (not shown) from the svchost.exe command, we can retrieve statistics relating to the infected host. The below screenshot shows us the hash rate over a 24 hour period, total XHV paid, and other metrics.
Older samples of Tofsee including mining using the BitTube privacy coin using outbound connections to TCP port 10281.
The process activity from CB ThreatHunter is shown below.
The unpacked malware with connections made from svchost.exe are also shown below from CB ThreatHunter.
For more information, click here.
Remediation:
MITRE ATT&CK TIDs
TID |
Tactic |
Description |
T1045 |
Defense Evasion |
Anti Analysis |
T1143 |
Defense Evasion |
Hidden Window |
T1071 |
Command and Control |
Standard Application Layer Protocol |
T1050 |
Privilege Escalation, Persistence |
New Service |
T1058 |
Privilege Escalation, Persistence |
Service Registry Permissions Weakness |
T1112 |
Defense Evasion |
Modify Registry |
T1016 |
Discovery |
System Network Configuration Discovery |
T1096 |
Defense Evasion |
NTFS File Attributes |
Indicators of Compromise (IOCs)
Indicator |
Type |
Context |
cc5de927eea3e7e966ed49d34f6c45636c3315274b73d6ec331da4d77038eef9 |
SHA256 |
Tofsee Dropper |
6610355d9b17dc8179c8907e6e095b88 |
MD5 |
Tofsee Dropper |
e80f33e6c7adb40c379cc074386ac89cd86b2a53fc8c8b72b5338a97b3d213af |
SHA256 |
Tofsee Loader |
a1353a6838e6e16c7b08aea0bdf1ee8d |
MD5 |
Tofsee Loader |
43.231.4.7 |
TCP/443 |
C2 address |
85.114.134.88 |
TCP/481 |
C2 address |
45.32.140.132 |
TCP/22284 |
Crypto mining address |
pool.xhv.semipool.com |
Domain |
Crypto mining domain |
bittube.herominers.com |
Domain |
Crypto mining domain |
The post Threat Analysis Unit (TAU) Threat Intelligence Notification: Tofsee Botnet appeared first on VMware Carbon Black.
Article Link: https://www.carbonblack.com/2019/12/13/threat-analysis-unit-tau-threat-intelligence-notification-tofsee-botnet/