Hackers covertly deliver payloads to target computers using MP3 files.
A fresh Windows trojan called "TOITOIN" has been making the rounds in Latin America since May 2023 and is designed to steal banking information. Researchers from Zscaler reported this in a recent report that was released last week.
According to Zscaler researchers, "this sophisticated campaign employs a Trojan that follows a multistage infection chain, using specially designed modules at each stage."
The experts continued, "These modules are intended to carry out malicious actions like injecting malicious code into remote processes, getting around User Account Control, and avoiding sandbox detection using cunning techniques like rebooting the system and checking the parent process.
The six-step infection process is extremely well-designed, starting with a phishing email that contains a link to a ZIP archive hosted on the attackers' Amazon EC2 instance. This method is used to avoid domain-specific discovery.
Scammers lure unsuspecting recipients in by using financial subjects like invoices and the like as bait. The aforementioned ZIP archive contains a bootloader executable that, using a straightforward shortcut in the Windows startup folder, establishes persistence on the system and then contacts a remote server to download the following six payloads, which are concealed as MP3 files to evade detection.
Additionally, the bootloader creates a batch script that, after a 10-second wait, restarts the system. The researchers explained that this is done to "evade detection by the sandbox, since all malicious actions only take place after a reboot."
One of the payloads found is "icepdfeditor.exe," which is signed with a legitimate ZOHO Corporation Private Limited binary and, when run, loads a phoney DLL known as Krita Loader by the codename "ffmpeg.dll."
Another executable file called the InjectorDLL module is run by Krita Loader, which is made to decode a JPG file loaded with other payloads. It creates the alleged ElevateInjectorDLL module by converting the second uploaded JPG file.
After injecting ElevateInjectorDLL into the "explorer.exe" system process, the InjectorDLL component then decrypts and injects the TOITOIN trojan into the "svchost.exe" process, bypassing User Account Control (UAC) if necessary to elevate process privileges.
According to the researchers, "this technique enables the malware to manipulate system files and processes by executing commands with elevated privileges and facilitating subsequent malicious actions."
Data can be extracted from installed web browsers like Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox, and Opera as well as system information collected by TOITOIN. Additionally, it looks for "Topaz Online Fraud Detection," an anti-fraud component built into Latin American banking platforms.
Attackers successfully deliver their malicious payload using deceptive phishing emails, sophisticated redirect mechanisms, and domain diversification, according to the researchers.
The use of specially created modules that employ various evasion techniques and encryption methods is part of the multi-stage chain of infection seen in this campaign, the experts said.