SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tofsee (Back to overview)

Tofsee

aka: Gheg
URLhaus    

According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.

Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.

References
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-10Check PointCheck Point
@online{point:20230410:march:144c1ad, author = {Check Point}, title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}}, date = {2023-04-10}, organization = {Check Point}, url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/}, language = {English}, urldate = {2023-04-12} } March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-04-06SpamhausRaashid Bhat
@online{bhat:20230406:neutralizing:fe6fd3b, author = {Raashid Bhat}, title = {{Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine}}, date = {2023-04-06}, organization = {Spamhaus}, url = {https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/}, language = {English}, urldate = {2023-04-08} } Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine
Tofsee
2023-04-06SpamhausRaashid Bhat
@online{bhat:20230406:neutralizing:fb399f6, author = {Raashid Bhat}, title = {{Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine}}, date = {2023-04-06}, organization = {Spamhaus}, url = {https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/}, language = {English}, urldate = {2023-04-08} } Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine
Tofsee
2023-04-06SpamhausRaashid Bhat
@online{bhat:20230406:neutralizing:c151309, author = {Raashid Bhat}, title = {{Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch}}, date = {2023-04-06}, organization = {Spamhaus}, url = {https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/}, language = {English}, urldate = {2023-04-14} } Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch
Tofsee
2023-03-28BitSightAndré Tavares
@online{tavares:20230328:tofsee:60925da, author = {André Tavares}, title = {{Tofsee Botnet: Proxying and Mining}}, date = {2023-03-28}, organization = {BitSight}, url = {https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining}, language = {English}, urldate = {2023-03-29} } Tofsee Botnet: Proxying and Mining
Tofsee
2022-11-21Github (larsborn)Lars Wallenborn
@online{wallenborn:20221121:tofsee:8a0c345, author = {Lars Wallenborn}, title = {{Tofsee String Decryption Code}}, date = {2022-11-21}, organization = {Github (larsborn)}, url = {https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4}, language = {English}, urldate = {2022-11-25} } Tofsee String Decryption Code
Tofsee
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2021-05-17DragosKent Backman
@online{backman:20210517:investigating:447e111, author = {Kent Backman}, title = {{Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach}}, date = {2021-05-17}, organization = {Dragos}, url = {https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/}, language = {English}, urldate = {2021-05-19} } Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach
Tofsee
2017-10-19CERT.PLJarosław Jedynak
@online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } A deeper look at Tofsee modules
Tofsee
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-03-24Zerophage
@online{zerophage:20170324:terror:b7e48b2, author = {Zerophage}, title = {{Terror EK via Malvertising delivers Tofsee Spambot}}, date = {2017-03-24}, url = {https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/}, language = {English}, urldate = {2020-01-05} } Terror EK via Malvertising delivers Tofsee Spambot
Tofsee
2016-12-22GovCERT.chGovCERT.ch
@online{govcertch:20161222:tofsee:8a6f36b, author = {GovCERT.ch}, title = {{Tofsee Spambot features .ch DGA - Reversal and Countermesaures}}, date = {2016-12-22}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/}, language = {English}, urldate = {2023-02-27} } Tofsee Spambot features .ch DGA - Reversal and Countermesaures
Tofsee
2016-09-29Cisco TalosEdmund Brumaghin
@online{brumaghin:20160929:want:8e6b2f6, author = {Edmund Brumaghin}, title = {{Want Tofsee My Pictures? A Botnet Gets Aggressive}}, date = {2016-09-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/tofsee-spam/}, language = {English}, urldate = {2023-02-27} } Want Tofsee My Pictures? A Botnet Gets Aggressive
Tofsee
2016-09-16CERT.PLAdam Krasuski
@online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } Tofsee – modular spambot
Tofsee
2014-04-02Virus BulletinRyan Mi
@online{mi:20140402:tofsee:ad7e66f, author = {Ryan Mi}, title = {{Tofsee botnet}}, date = {2014-04-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet}, language = {English}, urldate = {2023-02-27} } Tofsee botnet
Tofsee
2009-03-17Marshal8e6Rodel Mendrez
@online{mendrez:20090317:gheg:9c244e1, author = {Rodel Mendrez}, title = {{Gheg spambot}}, date = {2009-03-17}, organization = {Marshal8e6}, url = {https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp}, language = {English}, urldate = {2023-03-16} } Gheg spambot
Tofsee
Yara Rules
[TLP:WHITE] win_tofsee_auto (20230407 | Detects win.tofsee.)
rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.tofsee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 46 84c0 75f9 2bf1 f60304 7474 e8???????? }
            // n = 7, score = 400
            //   46                   | inc                 esi
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bf1                 | sub                 esi, ecx
            //   f60304               | test                byte ptr [ebx], 4
            //   7474                 | je                  0x76
            //   e8????????           |                     

        $sequence_1 = { eb0a c705????????2c010000 53 e8???????? 2b05???????? 59 3bc5 }
            // n = 7, score = 400
            //   eb0a                 | jmp                 0xc
            //   c705????????2c010000     |     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   2b05????????         |                     
            //   59                   | pop                 ecx
            //   3bc5                 | cmp                 eax, ebp

        $sequence_2 = { 41 85c0 88540ddb 75f0 8b750c 8bc1 49 }
            // n = 7, score = 400
            //   41                   | inc                 ecx
            //   85c0                 | test                eax, eax
            //   88540ddb             | mov                 byte ptr [ebp + ecx - 0x25], dl
            //   75f0                 | jne                 0xfffffff2
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8bc1                 | mov                 eax, ecx
            //   49                   | dec                 ecx

        $sequence_3 = { 83c8ff c3 1bc0 f7d8 c3 8b4c2408 }
            // n = 6, score = 400
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   c3                   | ret                 
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]

        $sequence_4 = { 66895806 a1???????? 66895808 a1???????? 6689580a 8b15???????? }
            // n = 6, score = 400
            //   66895806             | mov                 word ptr [eax + 6], bx
            //   a1????????           |                     
            //   66895808             | mov                 word ptr [eax + 8], bx
            //   a1????????           |                     
            //   6689580a             | mov                 word ptr [eax + 0xa], bx
            //   8b15????????         |                     

        $sequence_5 = { 837d0c03 7510 80781000 0f8434020000 56 e9???????? 8b4f14 }
            // n = 7, score = 400
            //   837d0c03             | cmp                 dword ptr [ebp + 0xc], 3
            //   7510                 | jne                 0x12
            //   80781000             | cmp                 byte ptr [eax + 0x10], 0
            //   0f8434020000         | je                  0x23a
            //   56                   | push                esi
            //   e9????????           |                     
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]

        $sequence_6 = { eb04 834e1401 ffd7 a3???????? ffd7 bde8030000 33d2 }
            // n = 7, score = 400
            //   eb04                 | jmp                 6
            //   834e1401             | or                  dword ptr [esi + 0x14], 1
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   ffd7                 | call                edi
            //   bde8030000           | mov                 ebp, 0x3e8
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 5d f7fd 03da 47 3bf9 7ce5 5d }
            // n = 7, score = 400
            //   5d                   | pop                 ebp
            //   f7fd                 | idiv                ebp
            //   03da                 | add                 ebx, edx
            //   47                   | inc                 edi
            //   3bf9                 | cmp                 edi, ecx
            //   7ce5                 | jl                  0xffffffe7
            //   5d                   | pop                 ebp

        $sequence_8 = { 50 ff15???????? ff742424 ff15???????? 8b442418 eb0d }
            // n = 6, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   ff15????????         |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   eb0d                 | jmp                 0xf

        $sequence_9 = { 7428 8b00 85c0 7413 8b10 6a01 8bc8 }
            // n = 7, score = 400
            //   7428                 | je                  0x2a
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   6a01                 | push                1
            //   8bc8                 | mov                 ecx, eax

    condition:
        7 of them and filesize < 147456
}
[TLP:WHITE] win_tofsee_w0   (20171121 | No description)
rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}
Download all Yara Rules