Multi-stage TOITOIN Trojan Abusing Amazon EC2 Instances to Evade Detections

New advanced malware targets LATAM businesses with TOITOIN Trojan, revealing intricate layers. The complete attack is based on a multi-stage process that involves the following key things which highlight the severe effect of it:-

• Phishing emails
• Custom built modules
• Sophisticated TTPs

The cybersecurity researchers at Zscaler ThreatLabz recently uncovered a new targeted attack on LATAM (Latin American) businesses in the current era of evolving cyber threat landscape.

Across each stage, a multi-staged infection chain is followed using the custom modules by the trojan that is deployed in this campaign.

Through the reboots and process checks, the custom modules execute malicious activities like:-

• Code injection
• UAC circumvention
• Sandbox evasion

Campaign deploys TOITOIN Trojan, which is the ultimate payload with XOR decryption for configuration file decoding. Decrypted trojan collects the following data and sends them to the attackers’ server in encoded format:-

• System info
• Browser data
• Topaz OFD info

TOITOIN Trojan Infection Chain

A major breakthrough was made by the threat hunters within the Zscaler cloud in May 2023. They found compressed ZIP archives that comprise several hidden malware samples, all hosted by Amazon EC2.

The targeted campaign uses the TOITOIN malware infection chain, starting with a well-crafted phishing email compromise. While the deceptive email strategically targets a Latin American Investment Banking company in this campaign. 

The email is carefully crafted with a Payment Notification Lure, urging the recipient to click ‘Visualizar Boleto’ (View Invoice). While this creates urgency among users and lures them to open the contents of the email, making them fall into the threat actors’ trap. 

A chain of events was initiated by the user unknowingly when they click the phishing email button.

Then the following URL is opened, which serves as an intermediary redirect:-

• http[:]//alemaoautopecas[.]com/1742241b/40c0/df052b5e975c.php?hash=aHR0cHM6Ly9teS5ub2lwLmNvbS9keW5hbWljLWRucw

Now after that, to the following address, once again the browser of the victim gets redirected:-

• http[:]//contatosclientes[.]services/upthon

Now here, to compromise the defense mechanism of the victim, the malicious ZIP archive is downloaded onto the system of the victim discreetly.

Here below we have mentioned all the domains that are used to deliver the malicious ZIP archives:-

• atendimento-arquivos[.]com
• arquivosclientes[.]online
• fantasiacinematica[.]online

Threat actors use dynamic ZIP archive names, making it harder to detect and mitigate their intentions. 

Multi-Staged TOITOIN Infection Chain

The multi-staged TOITOIN infection chain involves six stages, and here below we have mentioned them:-

• Stage-1: Downloader module
• Stage-2: Krita Loader DLL (ffmpeg.dll)
• Stage-3: InjectorDLL Module
• Stage-4: ElevateInjectorDLL Module
• Stage-5: BypassUAC Module
• Stage-6: TOITOIN Trojan

While for communication, the TOITOIN Trojan communicates with C&C (Command & Control) server that is located at:-

• http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php

Then it transmits the following information:-

• Encoded system information
• Browser details
• Topaz OFD Protection Module information

TOITOIN malware campaign exposes the evolving tactics of threat actors targeting businesses in Latin America. While for successful malicious payload delivery, they use:-

• Deceptive phishing emails
• Intricate redirect mechanisms
• Domain diversification

Moreover, the use of Amazon EC2 and dynamic file names shows their persistence in compromising systems and also the capability to adapt.

Source: https://cybersecuritynews.com/toitoin-amazon-ec2-instances/