Researchers at Zscaler ThreatLabz have discovered a worrisome advancement for an attack campaign targeting companies in Latin America. This highly sophisticated campaign involves the deployment of a trojan that implements a multi-stage infection process. The final objective of this campaign entails the distribution of a novel trojan named TOITOIN that incorporates an exclusive XOR decryption methodology to decipher its configuration file.
Diving into details
The creator of TOITOIN has meticulously planned and executed six distinct stages in the infection process.
- The first stage involves initiating a phishing email, which employs a scam disguised as an invoice to deceive users. To avoid detection based on domain reputation, the email contains a malicious link that directs users to a ZIP archive hosted on an Amazon EC2 instance.
- To evade detection within sandbox environments, the downloader creates a Batch script that triggers a system restart with a 10-second timeout. By initiating malicious activities after the reboot, the threat actors aim to bypass sandbox detection mechanisms.
- The loader component is designed to decrypt a downloaded JPG file and execute a different executable known as the InjectorDLL module. This module, in turn, converts a second JPG file into a specialized component called the ElevateInjectorDLL module.
- Subsequently, the TOITOIN Trojan undergoes decryption and is injected into the "svchost.exe" process by the InjectorDLL module. Before this injection, the ElevateInjectorDLL is injected into the "explorer.exe" process.
A bit on TOITOIN Trojan
TOITOIN can collect system information and extract data from popular web browsers, including Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox, and Opera.
- Additionally, it specifically checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module commonly integrated into banking platforms within the LATAM region.
- To decode configuration files and transmit system information to the C2 server, the malware employs XOR decryption techniques.
- Furthermore, it utilizes the COM Elevation Moniker to bypass user account control, ensuring the execution of malicious code with elevated privileges.
The bottom line
The targeted TOITOIN malware campaign, aimed at businesses in Latin America, showcases the advancing strategies and complexity employed by malicious actors. It is crucial for organizations to maintain a high level of vigilance against evolving malware campaigns, establish robust security protocols, and regularly update their security systems to protect against these ever-evolving threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_87177725_MEDIUM.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/ce38_Blog_CharmingKitten3_3.jpg)
