Banking Firms Under Attack by Sophisticated 'Toitoin' Campaign

A sophisticated and evasive malware campaign is targeting businesses in Latin America with a multi-stage attack that starts with phishing and ends with the deployment of a novel Trojan dubbed Toitoin that steals critical system information and data from financial institutions.

Researchers from Zscaler discovered the elaborate campaign, which features a multistage infection chain that uses custom-built modules throughout each stage, to inject harmful code into remote processes and circumvent user account control (UAC), among other activities.

"The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods," researchers revealed in a blog post published last week.

The evasive tactics include leveraging Amazon Elastic Compute Cloud (EC2) to host the malware within compressed .zip archives. 

"By leveraging Amazon EC2 instances, the threat actors evade domain-based detections, making it more challenging to detect and block their activities," the researchers wrote in the post.

The .zip archives, too, employ their own evasive maneuver, generating a new and randomly generated file name with each download. This allows them to evade detection based on static file-naming patterns. "This tactic adds an additional layer of complexity to the campaign, making it more challenging to identify and mitigate the threat effectively," the researchers noted.

The Toitoin ultimate payload is a Trojan malware built to attack finance targets, dubbed Toitoin, which gathers system info as well as data pertaining to installed browsers and the banking sector-specific Topaz OFD Protection Module, and sends it to attacker command and control (C2) in an encoded format, they said.

Email to Trojan in 6 Steps

Researchers intercepted a phishing email sent to a prominent investment-banking company in Latin America that they said represents the first stage in the attack. It leverages social-engineering to instill a sense of urgency, using a payment-notification lure asking the recipient to click on a button to view an invoice for immediate action.

The link in the email sets off a chain of redirects and events that ultimately lead to the downloading of a malicious .zip archive onto the victim's system that "begins infiltrating their defenses," the researchers wrote.

The malicious files set off the Toitoin infection chain, which is a complex one that runs in six stages that begin with a downloader module and end with the deployment of the Trojan. In between, it deploys various malware modules, including the Kirta Loader DLL, InjectorDLL Module, ElevateInjectionDLL module, and BypassUAC Module, each with its own specific function.

The first-stage downloader module downloads further stages of the attack and evades sandboxes through system reboots, maintaining persistence using LNK files. The Krita Loader DLL, which is sideloaded via a signed binary, loads the next module, the InjectorDLL. This, in turn, injects the ElevateInjectorDLL into the remote process, where it evades sandboxes, performs process hollowing, and injects either the Toitoin Trojan at that point, or the BypassUAC module based on process privileges.

The BypassUAS module does what its name implies — bypasses UAC using COM Elevation Moniker for the execution of the Krita Loader with admin privileges. This also ensures that the next stage of the process — the final payload, Toitoin — is executed with elevated privileges.

"The malware payload is injected into legitimate processes, such as explorer.exe and svchost.exe, to evade detection and maintain persistence on compromised systems," the researchers explained.

Toitoin exfiltrates system info — including computer names, Windows versions, installed browsers, and other relevant data — and sends it back to attackers, adapting its behavior based on the information it collects as well as the detected presence of the Topaz OFD - Protection Module.

Avoiding Malware Compromise

Sophisticated malware campaigns like Toitoin demand a similar response from the organizations that they target, the researchers said. This includes robust cybersecurity measures and continuous monitoring, as well as consistent patch management and system updating to ensure the latest protections are in place across the entire environment, they said.

Organizations can also take a zero-trust approach to security to better arm themselves against complex attack chains, the researchers said. In a zero-trust approach, all traffic, including email communications and Web browsing, is inspected and analyzed in real-time, regardless of the user's location or device.

"This comprehensive inspection helps identify and block malicious emails, phishing attempts, and suspicious URLs associated with malware campaigns like Toitoin," the researchers noted.

Organizations also can deploy security platforms that use advanced threat intelligence and machine-learning algorithms to detect and block known and unknown malware variants to defend themselves.

"By staying informed and proactive, businesses can effectively defend against emerging cyber threats and protect their critical assets," the researchers said.