Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-text-to-speech domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-bookmark-follow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the soledad domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-paywall domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-frontend-submission domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114
New TOITOIN banking Trojan is targeting Latin American businesses – HacksByte

New TOITOIN banking Trojan is targeting Latin American businesses

“This sophisticated campaign uses a Trojan that follows a multi-stage infection chain using specially crafted modules at each stage,” Zsklar researchers Neeraj Shivtarkar and Preet Kamal said in a report published last week.

“These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, bypassing User Account Control via COM elevation monikers, and through clever techniques such as system reboot and parent process checks.”

The six-step effort has all the hallmarks of a well-crafted attack sequence, starting with a phishing email containing an embedded link that evades domain-based detection hosted on an Amazon EC2 instance.

Email messages take advantage of invoice-themed bait to trick unwitting recipients into opening them, thereby activating the infection. Within the zip archive is a downloader executable engineered to establish persistence via the LNK file in the Windows Startup folder and communicate with a remote server to retrieve the six next-stage payloads as MP3 files.

Downloader is also responsible for generating a batch script that restarts the system after a timeout of 10 seconds. “This is done to avoid sandbox detection as malicious activities happen only after reboot,” the researchers said.

The received payload contained “icepdfeditor.exe”, a validly signed binary by ZOHO Corporation Private Limited that, when executed, sideloaded a rogue DLL (“ffmpeg.dll”) codenamed Krita Loader.

On the other hand, the loader is designed to decode the downloaded JPG file with other payloads and launch another executable known as the InjectorDLL module, which reverses the second JPG file, called the ElevateInjectorDLL module.

The InjectorDLL component then proceeds to inject ElevateInjectorDLL into the “explorer.exe” process, which then bypasses User Account Control (UAC), if necessary, to elevate process privileges and decrypt the TOITOIN Trojan, and is injected into the “.svchost.exe” process.

“This technique allows malware to manipulate system files and execute commands with elevated privileges, thereby facilitating further malicious activities,” the researchers explained.

TOITOIN comes with system information as well as capabilities to collect data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox and Opera. In addition, it checks the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.

The nature of the responses from the command-and-control (C2) server is currently not known as the server is no longer available.

“Through deceptive phishing emails, complex redirect mechanisms and domain diversification, threat actors successfully distribute their malicious payloads,” the researchers said. “The multi-stage infection chain observed in this campaign involved the use of custom-developed modules that employed various evasion techniques and encryption methods.”

Related posts

Microsoft CEO Satya Nadella dreams of a world where India and every person on the planet is empowered by AI

Chinese hackers exploited FortiGate Flaw to break the Dutch Military Network

Russian Coldriver hackers are moving beyond phishing with custom malware

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More