The phishing emails purport to be from women in Eastern Europe (namely Russia and Ukraine) and the theme of the emails is adult dating.
Each email contains slightly different text, however the same format is used across all of the messages Talos analyzed.
This post was authored by Edmund Brumaghin Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013.
It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more.
While the Tofsee botnet has been known for sending spam messages, the messages have historically contained links to adult dating and pharmaceutical websites.
When executed, the downloader retrieves a malicious executable and runs it, infecting the system with Tofsee.
The malware drops a randomly named PE32 executable into the %USERPROFILE% directory.
By leveraging our vast visibility into the threat landscape, Talos is able to effectively monitor these threats and quickly detect changes in the tactics, techniques, and procedures attackers are using so that we can continually protect our customer’s networks and data.
Additional ways our customers can detect and block this threat are listed below.
In June 2016, following the disappearance of the Angler exploit kit from the threat landscape, other major exploit kits began to shift to different payloads.