STRRAT Malware – Active IOCs
February 6, 2025CVE-2025-21087 – F5 BIG-IP TMM Vulnerability
February 7, 2025STRRAT Malware – Active IOCs
February 6, 2025CVE-2025-21087 – F5 BIG-IP TMM Vulnerability
February 7, 2025Severity
High
Analysis Summary
Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and gather user data. The malware can download more modules to carry out different activities. It can track users' online activities, steal personal information and credentials, and change browser and DNS settings. Tofsee has been known to spread through malicious email attachments, infected software downloads, and drive-by downloads from compromised websites. It can also persist on a system even after a reboot and can hide its presence from antivirus software. Upon execution, it drops multiple files onto the system and modifies the registry to ensure persistence. Tofsee uses a combination of stealth techniques to avoid detection, such as process hollowing, code obfuscation, and anti-debugging measures. This malware can cause major damage, such as financial loss and computer infections. It is used by cybercriminals to generate as much revenue as possible. The program is likely to install unintentionally, causing a slew of issues for both the system and other users. Tofsee is also capable of injecting unwanted advertisements into web pages visited by the infected user and redirecting browser traffic to malicious websites.
In terms of mitigation, it is crucial to keep software and operating systems up to date, avoid downloading suspicious files, and use a reputable antivirus program.
Impact
- Information Theft
- Credential Theft
- Crypto-Mining
Indicators of Compromise
MD5
06077e5b5aca1f69577800fd0c4bb30f
5391133aecd6e3ae09896a7f293da3e3
06958795116b9a99d9ae45154ff8dd35
80c4dac8971f83ec1efd7dae8e156a87
SHA-256
a303ad4f575489cae3854a1ca53376d973520bb9323ad2df169db7efdfd9e393
bb23ae297337b1abc92ab289aa3d2b121b7b225e4c30fbd1051c0b5cf684de3e
7cfba5dca44e825ad71f9d883d45919a12656c51d5eb8a51fcb4e155bf27477c
7639b02a5bde68cb99710937389fdf80a84f6727b986d1a1769ffad95ffcbad0
SHA1
dcf001f83257eaf1b3ab8d042907a6b253d3a515
b0bd391d51d8182b8c292ca08eacdd785a8e9900
a35b4a5bfc50e8d3f5ee52f1f71739f34386410f
d0fac30dde343aed789cd6d791c395949375a486
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable two-factor authentication.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.