Home / malwarePDF  

Backdoor:Win32/Tofsee.F


First posted on 15 February 2019.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Tofsee.F.

Explanation :

Installation

This threat copies itself to these folders using a randomly generated file name:

%USERPROFILE%

For example:

%USERPROFILE% srmrqc.exe yulb.exe

It deletes its original file once it's run, so you might not be able to find its file in your PC.

Tofsee makes several changes to the registry to ensure that its copies run at each Windows start:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: ""
With data: ".exe u"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "Userinit"
With data: "userinit.exe, %USERPROFILE%.exe s"

Payload

Changes Internet Explorer security settings

Tofsee changes the following registry values to lower or disable Internet Explorer's security settings:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
Sets values:
"WarnOnZoneCrossing"
"3WarnOnPostRedirect"
"WarnonBadCertRecving"
With data: "0"

In subkey: HKCUSoftwareMicrosoftInternet ExplorerIntelliForms
Sets values:
"AskUser"
"WarnOnPost"
With data: "0"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones2
Sets values:
"MinLevel"
"RecommendedLevel"
"1601"
"1803"
"1800"
"1609"
"1407"
"1406"
"1405"
"1402"
"1400"
"1201"
"1200"
"1004"
"1001"
With data: "0"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones3
Sets value: "1601"
With data: "0"

In subkey: HKCUSoftwareMicrosoftInternet ExplorerInformationBar
Sets value: "FirstTime"
With data: "0"

Tofsee also adds itself as a 'trusted program' to the Windows Firewall.

Give a malicious hacker access to your PC

Tofsee's primary purpose is to act as a spam and traffic relay. It functions as an HTTP proxy, receiving commands from a hacker that let it to generate and send emails as if they came from your PC (though not necessarily your email address).

Analysis by Matt McCormack

Last update 15 February 2019

 

TOP

Malware :

Family: