New TOITOIN Banking Trojan Targets Latin American Businesses
Businesses operating in the Latin America (LATAM) region were targeted by a new Windows-based banking trojan called TOITOINS since May 2023.
“This sophisticated campaign uses a trojan that follows a multi-stage infection chain, leveraging custom-built modules at each stage,” Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.
“This module is specifically designed to perform malicious activity, such as injecting malicious code into remote processes, circumventing User Account Control via COM Elevation Moniker, and avoiding detection by Sandbox through intelligent techniques such as system reboots and parent process checks.”
The six-stage attempt has all the hallmarks of a well-crafted attack sequence, starting with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detection.
The email messages make use of invoice-themed lures to trick unwitting recipients into opening them, thereby activating the infection. Inside the ZIP archive is a downloader executable designed to manage persistence through LNK files in the Windows Startup folder and communicate with a remote server to fetch six next-stage payloads in the form of MP3 files.
The downloader is also responsible for creating a Batch script which restarts the system after a 10 second timeout. This was done to “avoid sandbox detection because malicious actions only occur after a reboot,” the researchers said.
Included among the retrieved payloads is “icepdfeditor.exe,” a valid signed binary by ZOHO Corporation Private Limited, which, when run, sideloads a rogue DLL (“ffmpeg.dll”) codenamed Krita Loader.
The loader, for its part, is designed to decode JPG files downloaded alongside other payloads and launch another executable module known as the InjectorDLL module which inverts the second JPG file to form what is called the ElevateInjectorDLL module.
The InjectorDLL component next moves to inject ElevateInjectorDLL into the “explorer.exe” process, after which User Account Control (UAC) a bypass is performed, if needed, to elevate the process privileges and the TOITOIN Trojan is decrypted and injected into the “svchost.exe” process.
🔐 PAM Security – Expert Solution to Secure Your Sensitive Accounts
This expert-led webinar will equip you with the knowledge and strategies you need to change your privileged access security strategy.
“This technique allows malware to manipulate system files and execute commands with higher privileges, facilitating further malicious activity,” the researchers explain.
TOITOIN comes with the ability to collect system information as well as collect data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox and Opera. In addition, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into the banking platform in the LATAM region.
The nature of the response from the command-and-control (C2) server is currently unknown because the server is no longer available.
“Through deceptive phishing emails, complex redirect mechanisms, and domain diversification, threat actors successfully deliver their malicious payloads,” the researchers said. “The multi-stage infection chain observed in this campaign involved the use of specially developed modules that employ various evasion techniques and encryption methods.”
