BTC $56051.8376
ETH $3218.1633
BNB $396.4199
SOL $110.7149
XRP $0.5519
ADA $0.6156
AVAX $39.1198
DOGE $0.0917
TRX $0.1407
wstETH $3728.9977
LINK $19.0128
DOT $8.0469
WETH $3193.8813
MATIC $1.0418
UNI $10.7764
WBTC $55911.0276
IMX $3.3222
ICP $12.9221
BCH $297.7215
LTC $75.3171
CAKE $3.2025
FIL $8.1465
ETC $28.0611
RNDR $7.5168
KAS $0.1715
DAI $1.0043
HBAR $0.1103
ATOM $11.0992
VET $0.0490
INJ $36.1781
TON $2.1807
OKB $51.3647
STX $3.1226
LDO $3.5279
FDUSD $0.9998
XMR $138.2001
TIA $17.3425
ARB $1.9103
NEAR $3.9893
XLM $0.1190
GRT $0.2848
ENS $22.1628
THETA $2.1616
WEMIX $2.1065
APEX $2.4652
MKR $2118.4103
BEAM $0.0360
BTC $56051.8376
ETH $3218.1633
BNB $396.4199
SOL $110.7149
XRP $0.5519
ADA $0.6156
AVAX $39.1198
DOGE $0.0917
TRX $0.1407
wstETH $3728.9977
LINK $19.0128
DOT $8.0469
WETH $3193.8813
MATIC $1.0418
UNI $10.7764
WBTC $55911.0276
IMX $3.3222
ICP $12.9221
BCH $297.7215
LTC $75.3171
CAKE $3.2025
FIL $8.1465
ETC $28.0611
RNDR $7.5168
KAS $0.1715
DAI $1.0043
HBAR $0.1103
ATOM $11.0992
VET $0.0490
INJ $36.1781
TON $2.1807
OKB $51.3647
STX $3.1226
LDO $3.5279
FDUSD $0.9998
XMR $138.2001
TIA $17.3425
ARB $1.9103
NEAR $3.9893
XLM $0.1190
GRT $0.2848
ENS $22.1628
THETA $2.1616
WEMIX $2.1065
APEX $2.4652
MKR $2118.4103
BEAM $0.0360
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • In Latin America, the Trojan horse "TOITOIN" gallops through businesses.

    Hackers covertly deliver payloads to target computers using MP3 files.

    A fresh Windows trojan called "TOITOIN" has been making the rounds in Latin America since May 2023 and is designed to steal banking information. Researchers from Zscaler reported this in a recent report that was released last week.

    According to Zscaler researchers, "this sophisticated campaign employs a Trojan that follows a multistage infection chain, using specially designed modules at each stage."

    The experts continued, "These modules are intended to carry out malicious actions like injecting malicious code into remote processes, getting around User Account Control, and avoiding sandbox detection using cunning techniques like rebooting the system and checking the parent process.

    The six-step infection process is extremely well-designed, starting with a phishing email that contains a link to a ZIP archive hosted on the attackers' Amazon EC2 instance. This method is used to avoid domain-specific discovery.

    Scammers lure unsuspecting recipients in by using financial subjects like invoices and the like as bait. The aforementioned ZIP archive contains a bootloader executable that, using a straightforward shortcut in the Windows startup folder, establishes persistence on the system and then contacts a remote server to download the following six payloads, which are concealed as MP3 files to evade detection.

    Additionally, the bootloader creates a batch script that, after a 10-second wait, restarts the system. The researchers explained that this is done to "evade detection by the sandbox, since all malicious actions only take place after a reboot."

    One of the payloads found is "icepdfeditor.exe," which is signed with a legitimate ZOHO Corporation Private Limited binary and, when run, loads a phoney DLL known as Krita Loader by the codename "ffmpeg.dll."

    Another executable file called the InjectorDLL module is run by Krita Loader, which is made to decode a JPG file loaded with other payloads. It creates the alleged ElevateInjectorDLL module by converting the second uploaded JPG file.

    After injecting ElevateInjectorDLL into the "explorer.exe" system process, the InjectorDLL component then decrypts and injects the TOITOIN trojan into the "svchost.exe" process, bypassing User Account Control (UAC) if necessary to elevate process privileges.

    According to the researchers, "this technique enables the malware to manipulate system files and processes by executing commands with elevated privileges and facilitating subsequent malicious actions."

    Data can be extracted from installed web browsers like Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox, and Opera as well as system information collected by TOITOIN. Additionally, it looks for "Topaz Online Fraud Detection," an anti-fraud component built into Latin American banking platforms.

    Attackers successfully deliver their malicious payload using deceptive phishing emails, sophisticated redirect mechanisms, and domain diversification, according to the researchers.

    The use of specially created modules that employ various evasion techniques and encryption methods is part of the multi-stage chain of infection seen in this campaign, the experts said.

    Author DeepWeb
    The biggest hack on the Multichain cryptocurrency platform has occurred since it launched.
    Barts Health NHS, the largest healthcare organisation in the UK, was attacked online

    Comments 0

    Add comment