TOFUDRV (Trojan) – Malware

Overview

TOFUDRV is a sophisticated piece of malware utilized by advanced persistent threat (APT) groups, most notably the UNC1860 threat actor. This malware is designed to target Windows systems, specifically leveraging the Windows kernel to gain a foothold and execute malicious actions with high levels of stealth. As a kernel driver, TOFUDRV operates at a privileged level within the operating system, allowing it to bypass conventional security measures such as endpoint detection and response (EDR) solutions, which are typically focused on user-space processes.

What sets TOFUDRV apart from other types of malware is its reliance on a highly technical and low-level approach to persistently infect systems. By exploiting the Windows kernel, TOFUDRV can silently monitor, modify, and block system calls, thereby controlling network traffic, file system interactions, and registry modifications. This level of access allows attackers to avoid detection and maintain control over compromised machines for extended periods. The malware’s ability to operate at such a deep level within the system makes it particularly difficult for defenders to detect, analyze, and mitigate.

Targets

Information

Public Administration

How they operate

Unlike traditional malware, which operates within user space, TOFUDRV interacts directly with the operating system’s kernel. This strategic positioning allows it to operate with enhanced privileges, evading most conventional security measures, including endpoint detection and response (EDR) systems. By exploiting the Windows kernel, TOFUDRV can modify system behaviors, control network traffic, and gain deep insights into the infected machine’s resources, all while remaining covert.

A defining characteristic of TOFUDRV is its use of Input/Output Control (IOCTL) commands, which are low-level operations that interact with the operating system’s kernel and are typically not monitored by most security tools. The malware exploits undocumented IOCTL calls to establish communication with its command-and-control (C2) infrastructure. These IOCTL commands allow TOFUDRV to receive instructions and payloads, execute them, and send results back to the attacker without generating noticeable traffic that could alert network defenders. This ability to communicate covertly with external sources without relying on traditional network connections significantly reduces the chances of detection.

The malware’s kernel-level operation allows TOFUDRV to carry out various malicious tasks with minimal interference or visibility from security solutions. For instance, it can monitor and modify file system activity, registry settings, and network traffic in real-time. By controlling these system components, TOFUDRV can facilitate data exfiltration, deploy additional malicious payloads, or block network traffic between the victim’s machine and security monitoring tools. It also has the capability to persist within the system by embedding itself deeply into the kernel, making it difficult for traditional malware removal tools to detect and eliminate.

One of TOFUDRV’s key advantages is its ability to bypass traditional detection methods that rely on inspecting user-space activities or traffic anomalies. Because it operates within the kernel and communicates using encrypted, undetectable IOCTL commands, most security software, including firewalls, antivirus, and EDR solutions, struggles to identify and neutralize the threat. In addition to avoiding detection, TOFUDRV can manipulate system logs and other traces of its activity, further complicating the efforts of security analysts trying to uncover its presence.

Furthermore, TOFUDRV is capable of loading additional drivers or modifying existing ones, which can enhance its functionality or help it evade detection further. These drivers act as intermediaries within the operating system, allowing TOFUDRV to filter or block network traffic, inspect file system objects, and even modify registry entries. The ability to load or modify drivers gives the malware a powerful way to remain persistent on the infected system while also enabling more complex attacks, such as network sniffing or preventing certain system services from executing properly.

TOFUDRV’s behavior is consistent with other advanced persistent threat (APT) techniques, where stealth and persistence are prioritized. By embedding itself within the kernel, using low-level system calls, and employing encrypted communication channels, TOFUDRV is able to carry out long-term espionage operations, all while maintaining a minimal footprint. This makes the malware a potent tool for cybercriminals and state-sponsored actors seeking to maintain undetected access to sensitive environments. As detection methods evolve, defending against threats like TOFUDRV will require more advanced strategies, including monitoring kernel-level activities, analyzing encrypted traffic, and employing behavior-based detection techniques to identify subtle anomalies indicative of this advanced malware.

References

• UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks