Trojan horse “TOITOIN” gallops through businesses in Latin America

Since May 2023, a new Trojan for Windows called “TOITOIN”, aimed at stealing banking data. This was reported by the company’s researchers Zscaler in his recent report published last week.

“This complex campaign uses a Trojan that follows a multi-stage infection chain, using specially designed modules at each stage,” Zscaler researchers said.

“These modules are designed to perform malicious actions such as injecting malicious code into remote processes, bypassing User Account Control, and evading sandbox detection using tricky techniques such as rebooting the system and checking the parent process,” the experts added.

The six-step infection process has all the hallmarks of a well-thought-out campaign that begins with a phishing email containing a link that leads to a ZIP archive hosted on the attacker’s instance. Amazon EC2. This technique is used to evade discovery by domain.

As bait, scammers use financial topics such as invoices and the like to fool unsuspecting recipients. Inside the aforementioned ZIP archive is a bootloader executable that creates persistence on the system with a simple shortcut in the Windows startup folder and then contacts a remote server to retrieve the following six payloads, disguised as MP3 files to avoid detection.

MP3 decryption into executable files and libraries

The bootloader also generates a Batch script that restarts the system after a 10 second delay. This is done in order to “evade detection by the sandbox, since all malicious actions occur only after a reboot,” the researchers explained.

Among the payloads received is “icepdfeditor.exe” signed with a valid binary Zoho Corporation Private Limited which, when executed, downloads a fake DLL (“ffmpeg.dll”) codenamed Krita Loader.

Krita Loader, in turn, is designed to decode a JPG file loaded along with other payloads and run another executable file, known as the InjectorDLL module. It converts the second uploaded JPG file to form the so-called ElevateInjectorDLL module.

The InjectorDLL component then proceeds to inject the ElevateInjectorDLL into the “explorer.exe” system process, after which the User Account Control is bypassed (UAC), if necessary, to elevate the privileges of the process and decrypt and inject the TOITOIN trojan into the “svchost.exe” process.

“This technique allows the malware to manipulate system files and processes by executing commands with elevated privileges and facilitating further malicious actions,” the researchers explained.

TOITOIN has the ability to collect system information as well as extract data from installed web browsers such as Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox and Opera. It also checks for “Topaz Online Fraud Detection”, an anti-fraud module integrated into banking platforms in the Latin America region.

“Using deceptive phishing emails, sophisticated redirect mechanisms, and domain diversification, attackers successfully deliver their malicious payload,” the researchers said.

“The multi-stage chain of infection observed in this campaign includes the use of specially designed modules that use various evasion techniques and encryption methods,” the experts concluded.