New advanced malware targets LATAM businesses with TOITOIN Trojan, revealing intricate layers. The complete attack is based on a multi-stage process that involves the following key things which highlight the severe effect of it:-
Phishing emails
Custom built modules
Sophisticated TTPs
The cybersecurity researchers at Zscaler ThreatLabz recently uncovered a new targeted attack on LATAM (Latin American) businesses in the current era of evolving cyber threat landscape.
Across each stage, a multi-staged infection chain is followed using the custom modules by the trojan that is deployed in this campaign.
Through the reboots and process checks, the custom modules execute malicious activities like:-
Code injection
UAC circumvention
Sandbox evasion
Campaign deploys TOITOIN Trojan, which is the ultimate payload with XOR decryption for configuration file decoding. Decrypted trojan collects the following data and sends them to the attackers’ server in encoded format:-
System info
Browser data
Topaz OFD info
TOITOIN TrojanInfection Chain
A major breakthrough was made by the threat hunters within the Zscaler cloud in May 2023. They found compressed ZIP archives that comprise several hidden malware samples, all hosted by Amazon EC2.
The targeted campaign uses the TOITOIN malware infection chain, starting with a well-crafted phishing email compromise. While the deceptive email strategically targets a Latin American Investment Banking company in this campaign.
The email is carefully crafted with a Payment Notification Lure, urging the recipient to click ‘Visualizar Boleto’ (View Invoice). While this creates urgency among users and lures them to open the contents of the email, making them fall into the threat actors’ trap.
A chain of events was initiated by the user unknowingly when they click the phishing email button.
Then the following URL is opened, which serves as an intermediary redirect:-
Now after that, to the following address, once again the browser of the victim gets redirected:-
http[:]//contatosclientes[.]services/upthon
Now here, to compromise the defense mechanism of the victim, the malicious ZIP archive is downloaded onto the system of the victim discreetly.
Here below we have mentioned all the domains that are used to deliver the malicious ZIP archives:-
atendimento-arquivos[.]com
arquivosclientes[.]online
fantasiacinematica[.]online
Threat actors use dynamic ZIP archive names, making it harder to detect and mitigate their intentions.
Multi-Staged TOITOIN Infection Chain
The multi-staged TOITOIN infection chain involves six stages, and here below we have mentioned them:-
Stage-1: Downloader module
Stage-2: Krita Loader DLL (ffmpeg.dll)
Stage-3: InjectorDLL Module
Stage-4: ElevateInjectorDLL Module
Stage-5: BypassUAC Module
Stage-6: TOITOIN Trojan
While for communication, the TOITOIN Trojan communicates with C&C (Command & Control) server that is located at:-
http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php
Then it transmits the following information:-
Encoded system information
Browser details
Topaz OFD Protection Module information
TOITOIN malware campaign exposes the evolving tactics of threat actors targeting businesses in Latin America. While for successful malicious payload delivery, they use:-
Deceptive phishing emails
Intricate redirect mechanisms
Domain diversification
Moreover, the use of Amazon EC2 and dynamic file names shows their persistence in compromising systems and also the capability to adapt.