Home / malware TrojanDropper:O97M/Tobfy
First posted on 06 August 2016.
Source: MicrosoftAliases :
There are no other names known for TrojanDropper:O97M/Tobfy.
Explanation :
Installation
This threat is a malicious macro script created by malware perpetrators for Microsoft Office files. The macro can install and run Ransom:Win32/Tobfy ransomware on your PC.
It can be installed when you open a malicious attachment to a spam email. For example, we have seen this threat attached to spam emails claiming to have a business deal for you, but commonly see many lures such as invoices, purchase orders, traffic tickets, late payment notices, or package deliveries.
The emails will have a Word document (.doc file) attachment, and when opened, presents you with a social-engineering attack:
The document pretends to be locked and uses social engineering to convince the user to enable the macros on the document. If the user clicks Enable Content,
the macros is enabled and then malicious macros in the document runs.
These malicious macros can infect the PC with Ransom:Win32/Tobfy, a disk-encrypting ransomware. It does this by dropping three files in your %appdata% folder, such as:
- %appdata%\couth.exe
- %appdata%\csrss_
.exe - %appdata%\wsrv_
.exe
These Tobfy files have been seen downloading further files from command and control (C&C) servers, such as:
- hxxp://www.viplavka24.ru/system/logs.inst1.exe
- hxxp://www.viplavka24.ru/system/logs/ss2_2.bin
- hxxp://www.ip-fl.ru/system/logs/inst1.exe
- hxxp://www.ip-fl.ru/system/logs/ss2_2.bin
Payload
Drops other malware
The infected .doc files contain a malicious macro script that, when opened and when the macros is enabled, can download and run Ransom:Win32/Tobfy ransomware onto your PC.
Analysis by Geoff McDonaldLast update 06 August 2016
