An exploit kit stopped sending out malware so attackers are now using the malware’s botnet capabilities to deliver the payload, researchers said.
Tofsee, malware in existence since 2013, allows attackers to conduct activities, including click fraud, cryptocurrency mining, DDoS attacks and sending spam, said researchers at Cisco’s Talos team.
Up until June 2016, attackers sent out the malware using the RIG exploit kit and malvertising campaigns. Then, after the Angler exploit kit went away, attackers used RIG to deliver other payloads.
After RIG stopped delivering Tofsee, cybercriminals turned to email spam campaigns to infect computers. Usually, the Tofsee botnet sent spam emails, however, in August, researchers found the spam messages changed and started delivering Tofsee malware downloaders.
The volume of these spam emails increased since mid-August, reaching more than 2,000 messages on some days in September, Talos researchers said.
The spam emails are adult-themed and they purport to come from women in Russia and Ukraine. Recipients receive a set of instructions to download and open the ZIP archive attached to the messages as it supposedly contains pictures of the sender.