Rewterz Threat Advisory – ICS: Advantech WebAccess/SCADA Vulnerabilities
June 2, 2023Rewterz Threat Alert – StormKitty Stealer: A Threatening Information-Stealing Malware – Active IOCs
June 2, 2023Rewterz Threat Advisory – ICS: Advantech WebAccess/SCADA Vulnerabilities
June 2, 2023Rewterz Threat Alert – StormKitty Stealer: A Threatening Information-Stealing Malware – Active IOCs
June 2, 2023Severity
High
Analysis Summary
Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and gather user data. The malware has the ability to download more modules to carry out different activities. It can track users’ online activities, steal personal information and credentials, and change browser and DNS settings. Tofsee has been known to spread through malicious email attachments, infected software downloads, and drive-by downloads from compromised websites. It can also persist on a system even after a reboot and can hide its presence from antivirus software. Upon execution, it drops multiple files onto the system and modifies the registry to ensure persistence. Tofsee uses a combination of stealth techniques to avoid detection, such as process hollowing, code obfuscation, and anti-debugging measures. This malware can cause major damage, such as financial loss and computer infections. It is used by cybercriminals to generate as much revenue as possible. The program is likely to install unintentionally, causing a slew of issues for both the system and other users. Tofsee is also capable of injecting unwanted advertisements into web pages visited by the infected user and redirecting browser traffic to malicious websites.
In terms of mitigation, it is crucial to keep software and operating systems up to date, avoid downloading suspicious files, and use a reputable antivirus program.
Impact
- Information Theft
- Credential Theft
- Crypto-Mining
Indicators of Compromise
MD5
- b8c57b4955ba76748c635666f4418973
- dbbb946f4228bd42954f0fc37607d9e9
- 6dd275b9c77137fdbaf691f54c9e11dc
- cf08ecb08edbc52e65c8f40215d1e631
SHA-256
- 87c8503e9120f66f4abb1b0701228bd56d805f9f43336a70eec46a25474c8e6f
- 33131cdcd5d945bb411d7f74e019c16609a9690638bf040b975ae099e6643f63
- 352fbecb3eb8cf1cb6c77b4d775bd7b731708455954cf574f39e9271adf05f41
- 19dd9c0331cc180aa3c5d1b2c7d9b8897274b393c5f36957e10281f3965f9580
SHA-1
- 6c563d81cc495a1627e32ebab681d9212108ea7b
- 613aca1b293843322b08583d969d5611e859fd75
- edc8bf88d3d27ddbd0dad65c454bcd89e9dab2a3
- 1de7abbfa87a31b694ee92413c83f7a22a55c2f8
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets