Home / malware Backdoor:Win32/Tofsee.F
First posted on 15 February 2019.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Tofsee.F.
Explanation :
Installation
This threat copies itself to these folders using a randomly generated file name:
%USERPROFILE%
For example:
%USERPROFILE% srmrqc.exeyulb.exe
It deletes its original file once it's run, so you might not be able to find its file in your PC.
Tofsee makes several changes to the registry to ensure that its copies run at each Windows start:
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: ""
With data: ".exe u"
In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "Userinit"
With data: "userinit.exe, %USERPROFILE% .exe s"
Payload
Changes Internet Explorer security settings
Tofsee changes the following registry values to lower or disable Internet Explorer's security settings:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
Sets values:
"WarnOnZoneCrossing"
"3WarnOnPostRedirect"
"WarnonBadCertRecving"
With data: "0"
In subkey: HKCUSoftwareMicrosoftInternet ExplorerIntelliForms
Sets values:
"AskUser"
"WarnOnPost"
With data: "0"
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones2
Sets values:
"MinLevel"
"RecommendedLevel"
"1601"
"1803"
"1800"
"1609"
"1407"
"1406"
"1405"
"1402"
"1400"
"1201"
"1200"
"1004"
"1001"
With data: "0"
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones3
Sets value: "1601"
With data: "0"
In subkey: HKCUSoftwareMicrosoftInternet ExplorerInformationBar
Sets value: "FirstTime"
With data: "0"
Tofsee also adds itself as a 'trusted program' to the Windows Firewall.
Give a malicious hacker access to your PC
Tofsee's primary purpose is to act as a spam and traffic relay. It functions as an HTTP proxy, receiving commands from a hacker that let it to generate and send emails as if they came from your PC (though not necessarily your email address).
Analysis by Matt McCormackLast update 15 February 2019