New TOITOIN Banking Trojan Targets Latin American Businesses

July 10, 2023THINKINGEnterprise Security / Malware

Businesses operating in Latin America (LATAM) have been targeted by a new Windows-based banking trojan called TOITOIN as of May 2023.

«This sophisticated campaign uses a multi-stage infection chained trojan using specially crafted modules in each stage,» said Zscaler researchers Niraj Shivtarkar and Preet Kamal.

«These modules are custom designed to perform malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and avoiding being hacked. Sandbox detection through clever techniques such as system reboots and root process checks.»

The six-stage effort had all the hallmarks of a well-engineered attack chain, starting with a phishing email containing an embedded link pointing to a ZIP archive hosted on a Amazon EC2 instances to avoid domain-based detection.

The emails take advantage of an invoice-themed trick to trick recipients into unknowingly opening them, thereby triggering infection. Within the ZIP archive is an executable downloader designed to establish persistence using an LNK file in the Windows Startup folder and communicating with a remote server to retrieve the next six stage payloads as an MP3 file.

The downloader is also responsible for generating a Batch script that restarts the system after a 10 second timeout. This is done to «avoid sandbox detection because malicious actions occur only after a reboot,» the researchers say.

Included among the fetched payloads is «icepdfeditor.exe», a properly signed binary from ZOHO Corporation Private Limited that, when executed, loads a rogue DLL file («ffmpeg.dll» ) is codenamed Krita Loader.

For its part, the loader is designed to decode the downloaded JPG file along with other payloads and launch another executable called the InjectorDLL module which reverses the second JPG file to form the module. ElevateInjectorDLL.

The InjectorDLL component then moves to inject ElevateInjectorDLL into the «explorer.exe» process, which then performs a User Account Control (UAC) bypass, if required, to elevate the process privileges, and TOITOIN Trojan is decrypted and inserted into «svchost.exe».

«This technique allows malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities,» the researchers explain.

TOITOIN comes with the ability to collect system information as well as collect data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox and Opera. Furthermore, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.

The nature of the responses from the command and control server (C2) is currently unknown due to the fact that the server is no longer available.

«Through phishing phishing emails, complex redirection mechanisms, and domain diversification, threat actors successfully delivered their malicious payload,» the researchers said. «The multi-stage infection chain observed in this campaign involves the use of custom-developed modules that use different evading techniques and encryption methods.»