Threat Research

Tofsee Botnet: Proxying and Mining | Bitsight

Securonix

BitSight analyzes the Tofsee botnet, showing a proxy plugin that routes most traffic via HTTPS to popular sites, including Russian targets. It also details spam delivery via compromised sites and Masari mining activity, with fastpool.xyz as a working pool and a shortened URL ajwhvdhk.page.link/NiG75YhjQHn1sYXXA as an indicator. #Tofsee #Masari #fastpool.xyz #ajwhvdhk.page.link

Keypoints

  • The botnet uses a proxy module to send most traffic over HTTPS to popular websites, including several Russian hosts.
  • A subset of HTTP POST requests ends with “.php” and often starts with “/wp-“, carrying a base64-encoded spam template in ce= and receiving a “send:ok” response, suggesting compromised sites are used to distribute spam.
  • About 3% of traffic is SMTP(S) spam traffic via the proxy module, with the SMTP plugin present but not yet active in observed activity.
  • The miner plugin reveals Masari mining activity, with a configuration payload showing URLs but only fastpool.xyz appears functional; other URLs are outdated.
  • Identified indicators include the fastpool.xyz mining pool and a shortened URL ajwhvdhk.page.link/NiG75YhjQHn1sYXXA used in the investigation.

MITRE Techniques

  • [T1090] Proxy – The bot uses a proxy plugin to route traffic through various websites; ‘Most of the traffic is over HTTPS to popular websites, including several Russian ones.’
  • [T1071.001] Web Protocols – The bot performs HTTP POST requests to endpoints ending in .php (often starting with /wp-), sending a base64-encoded spam template and receiving ‘send:ok’ in response. ‘Around 3% of the requests were HTTP POST with the URI ending in “.php” … The response to the request usually was a 200 OK with “send:ok” as payload.’
  • [T1027] Obfuscated/Compressed Files – Payload data is base64-encoded (ce=) as part of the spam template, indicating obfuscated content being transmitted. ‘payload starts with the string “ce=” followed by a base64-encoded spam template’
  • [T1496] Resource Hijacking – Masari mining activity via a miner plugin; ‘Mining Masari’ and a working pool are identified, with fastpool.xyz as the only functional URL.

Indicators of Compromise

  • [URL] fastpool.xyz – used as the mining pool for Masari mining activity.
  • [URL] ajwhvdhk.page.link/NiG75YhjQHn1sYXXA – a shortened link present in the spam/communication workflow.

Read more: https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint