Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023.
βThis sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage,β Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.
βThese modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks.β
The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections.
The email messages leverage an invoice-themed lure to trick unwitting recipients into opening them, thereby activating the infection. Within the ZIP archive is a downloader executable thatβs engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files.
The downloader is also responsible for generating a Batch script that restarts the system after a 10-second timeout. This is done so as to βevade sandbox detection since the malicious actions occur only after the reboot,β the researchers said.
Included among the fetched payloads is βicepdfeditor.exe,β a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL (βffmpeg.dllβ) codenamed the Krita Loader.
The loader, for its part, is designed to decode a JPG file downloaded alongside the other payloads and launch another executable known as the InjectorDLL module that reverses a second JPG file to form whatβs called the ElevateInjectorDLL module.
The InjectorDLL component subsequently moves to inject ElevateInjectorDLL into the βexplorer.exeβ process, following which a User Account Control (UAC) bypass is carried out, if required, to elevate the process privileges and the TOITOIN Trojan is decrypted and injected into the βsvchost.exeβ process.
UPCOMING WEBINAR
[π Privileged Access Management: Learn How to Conquer Key Challenges
](<https://thn.news/pam-webinar>)
Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.
βThis technique allows the malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities,β the researchers explained.
TOITOIN comes with capabilities to gather system information as well as harvest data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox, and Opera. Furthermore, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.
The nature of the responses from the command-and-control (C2) server is presently not known due to the fact that the server is no longer available.
βThrough deceptive phishing emails, intricate redirect mechanisms, and domain diversification, the threat actors successfully deliver their malicious payload,β the researchers said. βThe multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.