HQ/EMEAFind out how we can help your business
A new cybercriminal campaign currently targets Latin American organisations with the TOITOIN trojan. The campaign includes a highly sophisticated method that adopts a multi-stage infection process and an exclusive XOR decryption methodology to decode its configuration archive.
The TOITOIN trojan campaign has six phases for its infection process.
According to an investigation, the TOITOIN trojan operators have carefully planned and operated six stages of the infection process against its targets.
The first stage is initiating a phishing email that employs a scam that impersonates an invoice to lure and deceive targeted users. The email stores include a malicious URL that redirects a user to a ZIP file stored on an Amazon EC2 instance to bypass detection based on domain reputation.
In addition, the downloaded creates a Batch script that activates a system restart with a 10-second interval to avoid detection in the sandbox environments. These malware operators could also bypass the sandbox detection protocol by starting malicious activities after the reboot.
Furthermore, the malware developers designed the loader component to decrypt a downloaded JPG file and run a different executable called the InjectorDLL module. Next, the module converts a second JPG file into a component module called ElevateInjectorDLL.
Lastly, the TOITOIN trojan goes through decryption and injects in the svhost[.]exe process by the InjectorDLL module. The threat actors will then inject the ElevateInjectorDLL into the explorer[.]exe process before the final compromise.
The TOITOIN trojan could collect system information and extract saved data from well-known browsers like Chrome, Edge, Explorer, Firefox, and Opera. In addition, the malware could check a targeted system to see if it has an anti-fraud module that is commonly used within the Latin American region. The malware employs XOR decryption techniques to decode configuration files and transmit system information to the C2 server.
This new malware campaign aimed at entities in Latin America shows the advancing tactics and sophistication employed by threat actors. Therefore, organisations should maintain high vigilance against upgraded malware threats and establish potent security protocols.
Experts advise organisations within the targeted region to regularly update their systems to mitigate the effects of these looming threats.
