TOITOIN Banking Trojan
Share this:
Researchers have discovered a new banking trojan dubbed as TOITOIN, affecting windows based systems
Active since this year, the malware targets businesses operating in Latin America. It employs a multi-stage infection chain and custom-made modules.
The modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks.
The trojan can collect data from almost all installed web browsers and system information. It also checks for Topaz Online Fraud Detection (OFD), an anti-fraud module embedded into financial platforms in the LATAM region.
TOITOIN is developed as a six stage infection campaign . It all begins with a phishing email. To trick users into opening the phishing message, threat actors use an invoice-themed scam. The email contains a malicious link that, in order to avoid domain-based detection, leads to a ZIP archive hosted on an Amazon EC2 instance.
Within the ZIP archive is a downloader executable that is used to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files.
A Batch script that restarts the machine after a 10-second timeout is also created by the downloader. Since the malicious actions only take place after the reboot, this is done to avoid sandbox detection, according to the researchers.
Included among the fetched payloads is “icepdfeditor.exe,” a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL (“ffmpeg.dll”) codenamed Krita Loader.
The loader is made to decode a JPG file that was downloaded along with the other payloads and launch a different executable called the InjectorDLL module, which converts a second JPG file into what is known as the ElevateInjectorDLL module.
The TOITOIN Trojan is then decrypted and injected into the “svchost.exe” process by the InjectorDLL component after injecting ElevateInjectorDLL into the “explorer.exe” process and, if necessary, bypassing User Account Control (UAC) to elevate the process’s privileges.
The analysis further revealed the presence of downloader modules, injector modules, and backdoors, each playing a specific role in the overall infection chain.
This technique is used to facilitate further malicious activities by allowing cybercriminals to tamper with system files and execute commands with elevated privileges. Because the C2 server is no longer operational, it is currently unknown what kind of responses it provided.
Organizations should remain vigilant against evolving malware campaigns, implement strong security protocols, and regularly update their security systems to safeguard against such threats. By staying informed and proactive, businesses can effectively defend against emerging cyber threats and protect their critical assets.
Indicators of Compromise
1. Downloader Module:
- 8fc3c83b88a3c65a749b27f8439a8416
- 2fa7c647c626901321f5decde4273633
- ec2-3-89-143-150[.]compute-1[.]amazonaws[.]com/storage[.]php?e=Desktop-PC
- ec2-3-82-104-156[.]compute-1[.]amazonaws[.]com/storage.php?e=Desktop-PC
- http[:]//alemaoautopecas[.]com
- http[:]//contatosclientes[.]services
- atendimento-arquivos[.]com
- arquivosclientes[.]online
- fantasiacinematica[.]online
- http[:]//cartolabrasil[.]com
2. Krita Loader DLL:
- b7bc67f2ef833212f25ef58887d5035a
3. InjectorDLL Module
- 690bfd65c2738e7c1c42ca8050634166
4. ElevateInjectorDLL Module
- e6c7d8d5683f338ca5c40aad462263a6
- 191[.]252[.]203[.]222/Up/indexW.php
5. BypassUAC Module
- c35d55b8b0ddd01aa4796d1616c09a46
6. TOITOIN Trojan
- 7871f9a0b4b9c413a8c7085983ec9a72
- http[:]//bragancasbrasil[.]com
- http[:]//179[.]188[.]38[.]7
- http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php
