# Terror EK via Malvertising delivers Tofsee Spambot **[zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/](https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/)** zerophage March 24, 2017 ## Summary: This was a great find, Terror EK in the wild from malvertising. The landing page appeared to be in the compromised site itself and was not loaded from an iframe, etc. The site just displayed jibberish (Lorem Ipsum). The EK used three Flash files, attempted a Silverlight exploit and triggered several interesting ET signatures. There was also almost no obfuscation of the code as well. [The payload was Tofsee and a thanks goes to @Antelox for confirming it. Tofsee is a](https://twitter.com/Antelox) spambot known to send spam emails. It has been dropped by Rig EK in the past. I did not see much email traffic however I was using a proxy which may have caused some traffic to not be logged. Anyway this is a great find and I hope you can gain a lot of information from it. ## Background Information: A few articles and samples on Terror exploit kit: https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit–More-like-ErrorExploit-Kit/ http://www.broadanalysis.com/2016/06/13/rig-exploit-kit-from-5-200-55-156-sends-tofseespambot/ Article on Tofsee: [https://www.cert.pl/en/news/single/tofsee-en/](https://www.cert.pl/en/news/single/tofsee-en/) ## Downloads [230317TerrorTofsee-> Contains pcapng, payloads and flash files in password protected](https://zerophagemalware.files.wordpress.com/2017/03/230317terrortofsee.zip) zip. ## Notable Details: 52.29.235.194 – eu4.echo-ice.com- Part of a malvertising chain 173.208.245.114 – paydayloanservice.net – Part of a malvertising chain 128.199.233.119 – Terror EK Traffic ----- 103.48.6.14– Tofsee Post Infection 111.121.193.242 – Tofsee Post Infection Payload was Tofsee Spambot (rad6AC11.tmp.exe created kxuepssx.exe) ## Details of infection chain: (click to enlarge!) Terror EK via malvertising drops Tofsee spambot. I have added the IP addresses in here manually. The PCAP uses a proxy IP. ## Full Details: ----- The malvertising chain let to a website that contained jibberish but also hosted the entire landing page with little to no attempt to obfuscate it. Below is a snippet: Terror EK uses a variety of exploits and has three different Flash files. The Flash files had not been uploaded to VT before for over a year. SHA256: d7919a2c2a03e96200858fe2c8a405af1ae40f0590937f9a1a8b076f1d341c27 File name: Detection ratio: dafsg.swf [34 / 56](https://www.virustotal.com/en/file/d7919a2c2a03e96200858fe2c8a405af1ae40f0590937f9a1a8b076f1d341c27/analysis/1490312933/) SHA256: 55eea72f4fdf639987fc80789040dc1e98091c4adf8f30aebaba86d15f3aae06 File name: Detection ratio: oiuhygnjda.swf [27 / 56](https://www.virustotal.com/en/file/55eea72f4fdf639987fc80789040dc1e98091c4adf8f30aebaba86d15f3aae06/analysis/) SHA256: 6e16ddfcf4c5f557f0f64ee8a4f16741e79dbe29acb43eccab87329116e88b9e File name: Detection ratio: wdioj124.swf [21 / 56](https://www.virustotal.com/en/file/6e16ddfcf4c5f557f0f64ee8a4f16741e79dbe29acb43eccab87329116e88b9e/analysis/1490312957/) ----- The payload was Tofsee, thanks to [@Antelox for confirming this. It actually dropped two](https://twitter.com/Antelox) payloads but they both had the same hash despite one having the old style “rad” naming. SHA256: db04e22734b479bb49e55ab362f1a1c0378d7952ff7b6e3fe7916a11c3e6c84f File name: Detection ratio: Carciofo.exe [16 / 61](https://www.virustotal.com/en/file/db04e22734b479bb49e55ab362f1a1c0378d7952ff7b6e3fe7916a11c3e6c84f/analysis/) Invincea backdoor.win32.tofsee.f SHA256: 99d639df944351a1c77279ca0da31d80ce9e9d5a3bde1850a1ffca10dcc0f6c9 File name: Detection ratio: kxuepssx.exe [10 / 61](https://www.virustotal.com/en/file/99d639df944351a1c77279ca0da31d80ce9e9d5a3bde1850a1ffca10dcc0f6c9/analysis/1490256791/) Invincea backdoor.win32.tofsee.f Tofsee added itself to startup, listened on random ports and began to send emails. ET Signatures -----