Tofsee Botnet's Survival Hangs in the Balance
The Botnet Pushes Malware in an Attempt to Stay Alive
Tofsee is a piece of malicious software that's been out in the wild for quite a while now. It's known for using infected PCs as cryptocurrency miners and as click fraud machines. Another feature has enslaved thousands of computers into a botnet that is referred to either as Tofsee or as GHEG.
The botnet has been around for just as long as the malware that created it. It's a powerful tool for spammers. Throughout the years it has sent countless messages advertising either pharmaceutical products or adult dating websites. In the past, the emails contained no malicious files. This, it seems, is no longer the case.
After a relatively long hiatus, researchers from Talos noticed that the botnet is waking up. Apparently, the beautiful Russian and Ukrainian women want to meet you again. This time, however, they're sending a ZIP file which, some users might be fooled into believing, contains pictures of the said beautiful women. In actual fact, the archive contains a JS downloader that will infect your machine with Tofsee and will add your PC to the very botnet that sent the unsolicited email.
But why, several years after creating their botnet, have the Tofsee operators decided that bundling their spam messages with malware is a good idea?
Believe it or not, it's all because of the shifts in the exploit kit market. Not that long ago, Tofsee, the malware that recruited zombies for the botnet, was distributed via the RIG exploit kit. RIG wasn't especially popular with cybercriminals, and its usage was somewhat limited. Then, in June, Angler and Nuclear, the two biggest exploit kits out there, died unexpectedly, and the load had to be spread among the rest of the kits. Initially, Neutrino took the lead as the most prominent exploit kit, but at the beginning of September, a big malvertising campaign run by Neutrino was taken down, and numerous crooks moved to RIG.
This was bad news for Tofsee because the RIG gang focused on other strains of malware and the distribution of Tofsee slowed to a crawl. If a botnet is to survive, it needs to acquire new bots every day because the existing ones get blacklisted fairly quickly.
That's why the crooks behind Tofsee decided to use their own botnet to recruit new zombies. That's a rather bold decision because there are no guarantees that the newly infected machines will outnumber the blacklisted zombies. Only time will tell if the risk will pay off.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.