Cyber Security Threat Summary:
“Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. ‘This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage,’ Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week. ‘These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks.’ The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections. The email messages leverage an invoice-themed lure to trick unwitting recipients into opening them, thereby activating the infection. Within the ZIP archive is a downloader executable that's engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files” (The Hacker News, 2023)

According to researchers, the downloader is also designed to generate a Batch script that restarts the system after a 10-second timeout. This in turn helps evade sandbox detections as the malicious actions are carried out after a system reboot.

Security Officer Comments:
Among the payloads is a signed binary that is executed with elevated privileges and is designed to sideload Krita Loader DLL. For its part, the Krita loader is responsible for decoding a JPG file downloaded alongside the other payloads and loading an executable dubbed InjectorDLL module that further injects another executable (ElevateInjectorDLL) into the remote process (explorer[.]exe). Since this executable is injected into the memory of a legitimate process, it is able to evade detection via process hollowing, further enabling a User Account Control bypass. Once privileges are elevated, ElevateInjectorDLL will decrypt the final payload and inject it into the "svchost[.]exe" process. In this case, the final payload is the Toitoin banking trojan. Once executed, Toitoin will gather system data as well as information stored in browsers like Google Chrome, Microsoft Edge, and Mozilla. Since many browsers have the option to store credentials, the threat actors can potentially log in to victims’ banks or other accounts, successfully siphoning funds without the victim’s knowledge.

Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from their customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):
https://thehackernews.com/2023/07/new-toitoin-banking-trojan-targeting.html