Most of the traffic is over HTTPS to popular websites, including several Russian ones. Figure 2 lists the top hostnames contacted by the bot.
Figure 2 – Most requested HOST:PORT pairs.
While looking through the traffic, we spotted an interesting pattern. Around 3% of the requests were HTTP POST with the URI ending in “.php” and, in many cases, starting with “/wp-”, to random websites that appear legitimate. Each request’s payload starts with the string “ce=” followed by a base64-encoded spam template (similar to Code 2). The response to the request usually was a 200 OK with “*send:ok*” as payload. These indicators lead us to believe that these (apparently) legitimate websites have been likely compromised to be used to distribute spam.
em=<REDACTED>@aol.com,<REDACTED>@icloud.com,<REDACTED>@hotmail.com,<REDACTED>@yahoo.com,<REDACTED>@micromedint.com,<REDACTED>@hotmail.com,<REDACTED>@yahoo.com.hk,<REDACTED>@hotmail.com,<REDACTED>@sfr.fr,<REDACTED>@msn.com,<REDACTED>@yahoo.com,<REDACTED>@yahoo.com,<REDACTED>@comcast.net,<REDACTED>@aol.com,<REDACTED>@sfr.fr,<REDACTED>@yahoo.fr,<REDACTED>@yahoo.com,<REDACTED>@msn.com,<REDACTED>@aol.com,<REDACTED>@hotmail.com,<REDACTED>@gmail.com,<REDACTED>@yahoo.com,<REDACTED>@comcast.net,<REDACTED>@aol.com,<REDACTED>@hotmail.com,<REDACTED>@yahoo.com,<REDACTED>@hotmail.fr,<REDACTED>@hotmail.com,<REDACTED>@hotmail.com,<REDACTED>@hotmail.com,<REDACTED>@sfr.fr,<REDACTED>@free.fr,<REDACTED>@hotmail.com,<REDACTED>@hotmail.com,<REDACTED>@hotmail.com,<REDACTED>@yahoo.com,<REDACTED>@hotmail.com,<REDACTED>@comcast.net,<REDACTED>@libero.it,<REDACTED>@hotmail.it,<REDACTED>@sunrise.ch,<REDACTED>@aol.com,<REDACTED>@hotmail.com,<REDACTED>@hotmail.it,<REDACTED>@hotmail.com,<REDACTED>@hotmail.co.uk,<REDACTED>@hotmail.com,<REDACTED>@aol.com,<REDACTED>@bellsouth.net,<REDACTED>@yahoo.com,<REDACTED>@hotmail.com,<REDACTED>@gmail.com,<REDACTED>@yahoo.com,<REDACTED>@aol.com,<REDACTED>@orange.fr,<REDACTED>@gmail.com,<REDACTED>@yahoo.com,<REDACTED>@yahoo.com,<REDACTED>@aol.com,<REDACTED>@fuse.net,<REDACTED>@aol.com,<REDACTED>@olguin.cc,<REDACTED>@hotmail.fr,<REDACTED>@aol.com,<REDACTED>@live.com,<REDACTED>@yahoo.co.uk,<REDACTED>@planet.nl,<REDACTED>@aol.com,<REDACTED>@aol.com,<REDACTED>@aol.com,<REDACTED>@yahoo.com,<REDACTED>@yahoo.com,<REDACTED>@att.net,<REDACTED>@yahoo.com,<REDACTED>@gmail.com,<REDACTED>@gmx.de,<REDACTED>@aol.com,<REDACTED>@hotmail.com,<REDACTED>@gmail.com,<REDACTED>@hotmail.com,<REDACTED>@yahoo.com&s=Product of the day&f={rand:24×7 Pharmacy|Pharmacy 24×7|Pharmacy USA|USA Pharmacy} – {rand:Final Price|Super Deals|Best Deals|Discounter}&sn=1&rpt=&tp=1&m=<html lang=“en”>
<head><meta name=“viewport” content=“width=device-width” /><meta http-equiv=“Content-Type” content=“text/html; charset=UTF-8” /></head><body><br>Good morning. How are you my dear.<br><br>
Noone will stay indifferent! Get Dream’s Pills here.<br><br>
<a href=“https://ajwhvdhk.page.link/NiG75YhjQHn1sYXXA”>CLICK HERE TO ORDER NOW<br><br><br><br><br></a></body></html>
Another 3% of the traffic was SMTP(S) spam traffic which can be categorized as “romance scam” or “dating scam”, which included photo attachments of the supposed sender. In short, all spam activity was done exclusively through the proxy module. Regarding the “smtp” plugin, although it’s still being sent to the bots, we haven’t seen any activity from it so far.
Mining Masari
Regarding the miner plugin, we extracted a configuration payload (Code 3) containing some URLs. None seem to work, except “fastpool.xyz”, and the references for them on Google are old.
Source: https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining