Scroll Top

New TOITOIN banking Trojan targets Latin American businesses


Latin American (LATAM) businesses have become the prime targets of a newly discovered Windows-based banking trojan known as TOITOIN, which has been active since May 2023, according to a recent report published by Zscaler researchers Niraj Shivtarkar and Preet Kamal.

The TOITOIN banking trojan employs a sophisticated campaign that employs a multi-staged infection chain, utilizing specially crafted modules throughout each stage. These modules are custom designed to carry out malicious activities, including injecting harmful code into remote processes, bypassing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes using techniques like system reboots and parent process checks.

The attack sequence of the TOITOIN trojan consists of six stages and exhibits the characteristics of a well-executed assault. It begins with phishing emails containing an embedded link that directs recipients to a ZIP archive hosted on an Amazon EC2 instance, effectively evading domain-based detections. The emails employ invoice-themed lures to entice unsuspecting victims into opening them, triggering the infection process.

Within the ZIP archive, a downloader executable is present, which establishes persistence through an LNK file in the Windows Startup folder. The downloader also establishes communication with a remote server to retrieve six next-stage payloads in the form of MP3 files.

The downloader generates a Batch script that initiates a system reboot after a 10-second timeout, a tactic employed to evade sandbox detection as the malicious actions occur only after the reboot.

One of the payloads fetched is “icepdfeditor.exe,” a legitimate signed binary by ZOHO Corporation Private Limited. When executed, it loads a rogue DLL (“ffmpeg.dll”) codenamed the Krita Loader. The loader decodes a JPG file downloaded alongside the other payloads and launches another executable called the InjectorDLL module. This module reverses a second JPG file to create the ElevateInjectorDLL module.

Subsequently, the InjectorDLL component injects ElevateInjectorDLL into the “explorer.exe” process, followed by a User Account Control (UAC) bypass if required to elevate process privileges. The TOITOIN Trojan is then decrypted and injected into the “svchost.exe” process, enabling it to manipulate system files and execute commands with elevated privileges.

TOITOIN possesses the ability to gather system information and harvest data from popular web browsers such as Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox, and Opera. Additionally, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.

The researchers note that the nature of the responses from the command-and-control (C2) server is currently unknown as the server is no longer available.

The threat actors behind TOITOIN employ deceptive phishing emails, intricate redirect mechanisms, and domain diversification to successfully deliver their malicious payload. The campaign’s multi-staged infection chain involves the use of custom-developed modules that employ various evasion techniques and encryption methods, as explained by the researchers. urges businesses operating in the LATAM region to remain vigilant against phishing attempts and employ robust security measures to protect their systems and sensitive information. Regular software updates, strong email security protocols, and employee awareness training are vital components of a comprehensive defense strategy against sophisticated banking trojans like TOITOIN.

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.