Discovered in May 2013, the Tofsee botnet targets Windows OS and, until June 2016, was distributed to vulnerable systems using the RIG exploit kit (EK). Tofsee is primarily used for spam distribution, click fraud, cryptocurrency mining, and DDoS attacks. It is comprised of three components: the loader, the core module, and plug-ins. The responsibility of the loader component is to establish contact with hardcoded C2 servers and download and execute the core module. The core module then runs undetected in the target system, maintains contact with the C2 servers, retrieves new configuration information and loads the plug-ins. The plug-ins are used for various functions such as sniffing, cryptocurrency mining, sniffing, and setting up proxies.

In June 2016, the RIG EK stopped distributing Tofsee and, in August of the same year, Tofsee began infecting computers via spam emails containing malicious attachments. These attachments contain a malware downloader designed to infect systems and join them to the Tofsee botnet.

In December 2016, the Swiss Governmental Computer Emergency Response Team (GovCERT), and SWITCH, the registrar of top-level Swiss domain names, worked together to remove domains that were hosting Tofsee’s dynamic C2 servers. GovCERT was able to reverse-engineer Tofsee’s domain generation algorithm (DGA) and correctly predict which .biz and .ch domain names would be chosen as C2 servers for the botnet in the upcoming year. As a result, a domain name blacklist was created preventing anyone from registering those specific domains for the next 12 months. Since many of the .biz domain names belong to various registrars across the globe, GovCERT was not able to prevent their registrations. However, the organization did publish a list of the URLs on its website so ISPs and cybersecurity organizations can proactively block traffic to them.

Reporting and Technical Details

  • April 2014: Tofsee Botnet (Virus Bulletin)
  • September 2016: Want Tofsee My Pictures? A Botnet Gets Aggressive (Cisco Talos Blog)
  • December 2016: CERT Switzerland Temporarily Cripples Tofsee Botnet (Bleeping Computer)
  • December 2016: Tofsee Technical Details, Indicators of Compromise, and Domain Name List (GovCERT)