Custom Trojan Attacking Latin American Organizations – Source: www.govinfosecurity.com

Cybercrime
,
Fraud Management & Cybercrime
,
Social Engineering

Toitoin Trojan Campaign Uses Six-Staged Infection Chain to Steal Data

Prajeet Nair (@prajeetspeaks) •
July 11, 2023    

A new malware campaign powered with multistage attack methodology is targeting businesses in Latin America using specially crafted modules.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

The newly identified Trojan, dubbed Toitoin, follows a six-stage attack plan in which each stage is custom-designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by sandboxes through clever techniques such as system reboots and parent process checks, researchers at Zscaler said.

Toitoin malware begins the attack with a phishing email with a malicious ZIP archive that is stealthily downloaded onto the victim’s system and begins infiltrating their defenses.

The email lures the victim with a notification of a fake payment made by the victim, prompting them to click on a button labeled “Visualizar Boleto,” which translates to ‘”View Invoice” in English. The button links to the malicious ZIP file, which is hosted on an Amazon EC2 instance.

Cloud hosting enables threat actors to leverage the capabilities of Amazon’s cloud infrastructure and shield their activities from domain-based detection mechanisms.

To further obfuscate their activities, the threat actors adopted a dynamic approach to naming the ZIP archives. With each new download, the server generates a random file name that adds a layer of complexity to the campaign, making it more challenging to identify and mitigate the threat.

These ZIP files are labeled as HGATH33693LQEMJ.zip and contain a malicious executable file titled HCEMH.hqdrm.63130.exe. The executable operates as the designated downloader module, orchestrated by the threat actors to initiate the retrieval of numerous payloads from the server.

The multistaged Toitoin infection chain consists of six different stages. These include Downloader module, Krita loader DLL, InjectorDLL module, ElevateInjectorDLL module and BypassUAC Module, which finally deploys the Toitoin Trojan.

Researchers observed that the BypassUAC Module is responsible for performing User Account Control bypass, enabling the execution of the Downloader module with administrator privileges.

The ElevateInjectorDLL module injects the Trojan into the remote process svchost.exe. Once executed, it reads the encoded [<]computer_name[>].ini configuration file, previously written in the Public Documents folder by the Downloader module. This helps the malware evade detection and maintain persistence on compromised systems.

Analysis by researchers revealed the presence of downloader modules, injector modules and backdoors that all play specific roles in the overall infection chain.

The malware has the ability to exfiltrate system information, including computer names, Windows versions, installed browsers and other relevant data to the command-and-control server. The communication with the server occurs through encrypted channels, and in the absence of an INI configuration file, a curl POST request is used for data transmission.