• Tue. Oct 10th, 2023

Banking Companies Are Being Attacked by a Complex “Toitoin” Campaign

Avatar photo

ByEsme Greene

Aug 12, 2023
"Toitoin" Campaign Targets Banking Companies
Esme Greene
Latest posts by Esme Greene (see all)

Zscaler researchers have found an advanced malware operation that is aimed at Latin American companies. The assault used by the campaign is a multi-staged one that starts with phishing and ends with the introduction of a brand-new Trojan dubbed Toitoin. 

Across the infection chain, specialized modules are utilized to evade user account control (UAC) and inject malicious code into remote processes. In addition to hosting the malware in.zip files on Amazon Elastic Compute Cloud (EC2) instances, the campaign makes use of a number of evasion and encryption tactics. 

Because the file names in.zip archives are unpredictable, it is challenging to identify them using static file-naming patterns. The Toitoin Trojan, the final payload, targets the financial industry by collecting system data, browser data, and specialized banking module data. This data is then delivered in an encoded format to the attacker’s command and control (C2) servers.

Steps for Emailing a Trojan

The assault began when investigators received a phishing email intended for a Latin American investment banking firm. The email tempts the reader to click on a payment-notification link, which sets off a series of redirections and causes the victim to download a malicious.zip bundle. 

This package starts the six-stage Toitoin infection chain, which consists of many malware modules with distinct purposes. These modules—Kirta Loader DLL, Injector DLL, Elevate Injection DLL, and Bypass UAC Module—escape sandboxes, retain persistence, carry out process hollowing, and inject the Toitoin Trojan as the ultimate payload. 

Toitoin steals system data and modifies its actions in response to the information gathered and the existence of the Topaz OFD-Protection Module. To avoid identification and maintain persistence on infected systems, the Trojan injects itself into trusted programs like explorer.exe and svchost.exe.

Avoiding Malware Compromise

Organizations must put strong cybersecurity safeguards, constant monitoring, and frequent patch management into place to combat sophisticated malware like Toitoin. Using a zero-trust strategy makes it easier to spot and stop fraudulent emails, phishing efforts, and shady URLs. 

For the detection and prevention of both known and new malware, security solutions with sophisticated threat intelligence and machine learning are crucial. Businesses can safeguard important assets from growing cyber risks by being aware and being proactive.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.