Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023.
"This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.
"These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks."
The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections.
The email messages leverage an invoice-themed lure to trick unwitting recipients into opening them, thereby activating the infection. Within the ZIP archive is a downloader executable that's engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files.
The downloader is also responsible for generating a Batch script that restarts the system after a 10-second timeout. This is done so as to "evade sandbox detection since the malicious actions occur only after the reboot," the researchers said.
Included among the fetched payloads is "icepdfeditor.exe," a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL ("ffmpeg.dll") codenamed the Krita Loader.
The loader, for its part, is designed to decode a JPG file downloaded alongside the other payloads and launch another executable known as the InjectorDLL module that reverses a second JPG file to form what's called the ElevateInjectorDLL module.
The InjectorDLL component subsequently moves to inject ElevateInjectorDLL into the "explorer.exe" process, following which a User Account Control (UAC) bypass is carried out, if required, to elevate the process privileges and the TOITOIN Trojan is decrypted and injected into the "svchost.exe" process.
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
"This technique allows the malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities," the researchers explained.
TOITOIN comes with capabilities to gather system information as well as harvest data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox, and Opera. Furthermore, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.
The nature of the responses from the command-and-control (C2) server is presently not known due to the fact that the server is no longer available.
"Through deceptive phishing emails, intricate redirect mechanisms, and domain diversification, the threat actors successfully deliver their malicious payload," the researchers said. "The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods."