A highly sophisticated malware campaign is currently targeting businesses in Latin America through a multi-stage attack that begins with phishing and culminates in the deployment of a new Trojan called Toitoin. This Trojan is specifically designed to steal critical system information and data from financial institutions. Researchers from ZScaler recently discovered this elaborate campaign, which employs custom-built modules at each stage to inject malicious code into remote processes and evade user account control (UAC), among other activities.
According to the researchers, the multi-staged infection chain observed in this campaign involves the use of custom-developed modules that utilize various evasion techniques and encryption methods. One of the evasion tactics employed is the use of Amazon Elastic Compute Cloud (EC2) to host the malware within compressed ZIP archives. By leveraging Amazon EC2 instances, the threat actors can evade domain-based detection, making it more difficult to detect and block their activities. The ZIP archives themselves also employ evasive measures, generating a new and randomly generated file name with each download. This tactic further complicates the campaign, making it harder to identify and mitigate the threat effectively.
The Toitoin Trojan, which serves as the ultimate payload in this campaign, is specifically designed to target finance-related entities. It gathers system information and data related to installed browsers and the Topaz OFD Protection Module specific to the banking sector. This information is then sent to the attacker’s command and control (C2) server in an encoded format.
The attack begins with a phishing email sent to a prominent investment-banking company in Latin America. This email utilizes social engineering techniques to create a sense of urgency, urging the recipient to click on a button to view an invoice that requires immediate action. Clicking on the link in the email triggers a series of redirects and events that ultimately lead to the download of a malicious ZIP archive onto the victim’s system, enabling the initial infiltration of their defenses.
The malicious files within the ZIP archive initiate the Toitoin infection chain, which comprises six stages. These stages include various modules such as the Kirta Loader DLL, InjectorDLL Module, ElevateInjectionDLL module, and BypassUAC Module, each with its own specific function. The first-stage downloader module downloads subsequent stages of the attack while evading sandboxes through system reboots. It maintains persistence using LNK files. The Krita Loader DLL, sideloaded via a signed binary, loads the InjectorDLL module. This module then injects the ElevateInjectorDLL into a remote process, where it evades sandboxes, performs process hollowing, and injects either the Toitoin Trojan or the BypassUAC module based on process privileges. The BypassUAC module is responsible for bypassing User Account Control (UAC) using COM Elevation Moniker, ensuring the execution of the Krita Loader with admin privileges and subsequently allowing the final payload, Toitoin, to execute with elevated privileges.
Toitoin exfiltrates system information, including computer names, Windows versions, installed browsers, and other relevant data. This information is then sent back to the attackers. The behavior of Toitoin adapts based on the collected information and the detection of the Topaz OFD – Protection Module.
To combat such sophisticated malware campaigns like Toitoin, organizations must respond with robust cybersecurity measures, continuous monitoring, consistent patch management, and regular system updates. These actions are necessary to ensure that up-to-date protections are in place across the entire environment. Additionally, a zero-trust approach to security can be effective in defending against complex attack chains. This approach involves inspecting and analyzing all traffic, including email communications and web browsing, in real-time, regardless of the user’s location or device. By staying informed and proactive, businesses can effectively defend against emerging cyber threats and protect their critical assets. Deploying security platforms that utilize advanced threat intelligence and machine-learning algorithms to detect and block known and unknown malware variants can further enhance an organization’s defense against such attacks.