Banking Firms Under Attack by Sophisticated Toitoin Campaign

An attack involves a multistage infection chain with custom malware hosted on Amazon EC2 that ultimately steals critical system and browser data; so far, targets have been located in Latin America.

A sophisticated and evasive malware campaign is targeting businesses in Latin America with a multi-stage attack that starts with phishing and ends with the deployment of a novel
Trojan
dubbed Toitoin that steals critical system information and data from financial institutions.
Researchers from Zscaler discovered the elaborate campaign, which features a multistage infection chain that uses custom-built modules throughout each stage, to inject harmful code into remote processes and circumvent user account control (UAC), among other activities.
The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods, researchers revealed
in a blog post
published last week.
The evasive tactics include leveraging Amazon Elastic Compute Cloud (EC2) to host the malware within compressed .zip archives.
By leveraging Amazon EC2 instances, the threat actors evade domain-based detections, making it more challenging to detect and block their activities, the researchers wrote in the post.
The .zip archives, too, employ their own evasive maneuver, generating a new and randomly generated file name with each download. This allows them to evade detection based on static file-naming patterns. This tactic adds an additional layer of complexity to the campaign, making it more challenging to identify and mitigate the threat effectively, the researchers noted.
The Toitoin ultimate payload is a
Trojan malware built to attack finance targets,
dubbed Toitoin, which gathers system info as well as data pertaining to installed browsers and the banking sector-specific Topaz OFD Protection Module, and sends it to attacker command and control (C2) in an encoded format, they said.
Researchers intercepted a
phishing email
sent to a prominent investment-banking company in Latin America that they said represents the first stage in the attack. It leverages
social-engineering
to instill a sense of urgency, using a payment-notification lure asking the recipient to click on a button to view an invoice for immediate action.
The link in the email sets off a chain of redirects and events that ultimately lead to the downloading of a malicious .zip archive onto the victims system that begins infiltrating their defenses, the researchers wrote.
The malicious files set off the Toitoin infection chain, which is a complex one that runs in six stages that begin with a downloader module and end with the deployment of the Trojan. In between, it deploys various malware modules, including the Kirta Loader DLL, InjectorDLL Module, ElevateInjectionDLL module, and BypassUAC Module, each with its own specific function.
The first-stage downloader module downloads further stages of the attack and evades sandboxes through system reboots, maintaining persistence using LNK files. The Krita Loader DLL, which is sideloaded via a signed binary, loads the next module, the InjectorDLL. This, in turn, injects the ElevateInjectorDLL into the remote process, where it evades sandboxes, performs process hollowing, and injects either the Toitoin Trojan at that point, or the BypassUAC module based on process privileges.
The BypassUAS module does what its name implies — bypasses UAC using COM Elevation Moniker for the execution of the Krita Loader with admin privileges. This also ensures that the next stage of the process — the final payload, Toitoin — is executed with elevated privileges.
The malware payload is injected into legitimate processes, such as explorer.exe and svchost.exe, to evade detection and maintain persistence on compromised systems, the researchers explained.
Toitoin exfiltrates system info — including computer names, Windows versions, installed browsers, and other relevant data — and sends it back to attackers, adapting its behavior based on the information it collects as well as the detected presence of the Topaz OFD
-
Protection Module.
Sophisticated malware campaigns like Toitoin demand a similar response from the organizations that they target, the researchers said. This includes robust cybersecurity measures and continuous monitoring, as well as consistent patch management and system updating to ensure the latest protections are in place across the entire environment, they said.
Organizations can also take
a zero-trust approach
to security to better arm themselves against complex attack chains, the researchers said. In a zero-trust approach, all traffic, including email communications and Web browsing, is inspected and analyzed in real-time, regardless of the users location or device.
This comprehensive inspection helps identify and block malicious emails, phishing attempts, and suspicious URLs associated with malware campaigns like Toitoin, the researchers noted.
Organizations also can deploy security platforms that use advanced threat intelligence and machine-learning algorithms to detect and block known and unknown malware variants to defend themselves.
By staying informed and proactive, businesses can effectively defend against emerging cyber threats and protect their critical assets, the researchers said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Banking Firms Under Attack by Sophisticated Toitoin Campaign