Since May 2023, a new Trojan Windows program called “Toitoin” has been distributed in Latin America. This program is aimed at theft of banking data, as reported by researchers from Zscaler in their recent report, published last week.
According to Zscaler researchers, this complex campaign is carried out by a Trojan that follows a multi-stage chain of infection. Each stage involves specially designed modules that perform harmful actions, such as introducing malicious code into remote processes, bypassing user account controls, and evading sandboxes using various techniques, including system rebooting and parental process checking.
This campaign utilizes a six-stage infection process that shows signs of careful planning. It begins with a phishing email containing a link that leads to a ZIP archive hosted on an Amazon EC2 instance used by the attackers. This technique is employed to avoid domain detection. The email employs a financial topic, such as invoices, to deceive unsuspecting recipients. The ZIP archive contains an executable bootloader file that establishes persistence by creating a simple label in the Windows Automobile folder. It is also associated with a remote server to receive the next set of payloads, which are disguised as MP3 files to evade detection.
The bootloader also generates a Batch script that triggers a system reboot after a 10-second delay. This is done to evade sandbox detection, as all the malicious actions occur after the reboot process, as explained by the researchers.
One of the payloads obtained is a file named “ICEPDFEDOR.EXE”, signed by a valid binary file from ZOO Corporation Private Limited. When executed, this file loads a fake DLL named “FFMPEG.DLL”, which is internally referred to as Krita Loader.
Krita Loader is designed to decrypt a JPG file that is downloaded along with other payloads. It then launches another executable file called the Injectordll module. This module is converted by a second JPG file to form the Elevateinjector dll.
Injectordll, in turn, is responsible for injecting Elevateinjectordll into the system process “Explorer.exe”. This process bypasses user account control (UAC) if necessary to elevate process privileges. It further decrypts and implements the Trojan Toitoin into the SVCHOST process.