Contents:
TOITOIN is a new Windows-based banking trojan active since 2023. The malware targets businesses operating in Latin America (LATAM), researchers at Zscaler say, employing a multi-stage infection chain and custom-made modules.
These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks.
The trojan can collect data from installed web browsers like Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox, and Opera as well as system information. It also checks for Topaz Online Fraud Detection (OFD), an anti-fraud module embedded into financial platforms in the LATAM region.
How the TOITOIN Banking Trojan Works
The six stages of the infection are carefully thought through by the creator of TOITOIN. It all begins with a phishing email. To trick users into opening the phishing message, threat actors use an invoice-themed scam. The email contains a malicious link that, in order to avoid domain-based detection, leads to a ZIP archive hosted on an Amazon EC2 instance.
Within the ZIP archive is a downloader executable that’s engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files.
A Batch script that restarts the machine after a 10-second timeout is also created by the downloader. Since the malicious actions only take place after the reboot, this is done to avoid sandbox detection, according to the researchers.
Included among the fetched payloads is “icepdfeditor.exe,” a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL (“ffmpeg.dll”) codenamed the Krita Loader.
The loader is made to decode a JPG file that was downloaded along with the other payloads and launch a different executable called the InjectorDLL module, which converts a second JPG file into what is known as the ElevateInjectorDLL module.
The TOITOIN Trojan is then decrypted and injected into the “svchost.exe” process by the InjectorDLL component after injecting ElevateInjectorDLL into the “explorer.exe” process and, if necessary, bypassing User Account Control (UAC) to elevate the process’s privileges.
This technique is used to facilitate further malicious activities by allowing cybercriminals to tamper with system files and execute commands with elevated privileges. Because the command-and-control (C2) server is no longer operational, it is currently unknown what kind of responses it provided.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.