Multi-stage TOITOIN Trojan Abusing Amazon EC2 Instances to Evade Detections

Multi-stage TOITOIN Trojan Abusing Amazon EC2 Instances to Evade Detections

New advanced malware targets LATAM businesses with TOITOIN Trojan, revealing intricate layers. The complete attack is based on a multi-stage process that involves the following key things which highlight the severe effect of it:-

Phishing emails

Custom built modules

Sophisticated TTPs

The cybersecurity researchers at Zscaler ThreatLabz recently uncovered a new targeted attack on LATAM (Latin American) businesses in the current era of evolving cyber threat landscape.

Across each stage, a multi-staged infection chain is followed using the custom modules by the trojan that is deployed in this campaign.

Through the reboots and process checks, the custom modules execute malicious activities like:-

Code injection

UAC circumvention

Sandbox evasion

Campaign deploys TOITOIN Trojan, which is the ultimate payload with XOR decryption for configuration file decoding. Decrypted trojan collects the following data and sends them to the attackers’ server in encoded format:-

System info

Browser data

Topaz OFD info

TOITOIN Trojan Infection Chain

A major breakthrough was made by the threat hunters within the Zscaler cloud in May 2023. They found compressed ZIP archives that comprise several hidden malware samples, all hosted by Amazon EC2.

ZIP archives hosted on Amazon EC2 (Source – Zscaler)

The targeted campaign uses the TOITOIN malware infection chain, starting with a well-crafted phishing email compromise. While the deceptive email strategically targets a Latin American Investment Banking company in this campaign. 

Infection Chain (Source – Zscaler)

The email is carefully crafted with a Payment Notification Lure, urging the recipient to click ‘Visualizar Boleto’ (View Invoice). While this creates urgency among users and lures them to open the contents of the email, making them fall into the threat actors’ trap. 

Phishing email (Source – Zscaler)

A chain of events was initiated by the user unknowingly when they click the phishing email button.

Then the following URL is opened, which serves as an intermediary redirect:-


Now after that, to the following address, once again the browser of the victim gets redirected:-


Now here, to compromise the defense mechanism of the victim, the malicious ZIP archive is downloaded onto the system of the victim discreetly.

Here below we have mentioned all the domains that are used to deliver the malicious ZIP archives:-




Threat actors use dynamic ZIP archive names, making it harder to detect and mitigate their intentions. 

Multi-Staged TOITOIN Infection Chain

The multi-staged TOITOIN infection chain involves six stages, and here below we have mentioned them:-

Stage-1: Downloader module

Stage-2: Krita Loader DLL (ffmpeg.dll)

Stage-3: InjectorDLL Module

Stage-4: ElevateInjectorDLL Module

Stage-5: BypassUAC Module

Stage-6: TOITOIN Trojan

While for communication, the TOITOIN Trojan communicates with C&C (Command & Control) server that is located at:-


Then it transmits the following information:-

Encoded system information

Browser details

Topaz OFD Protection Module information

TOITOIN malware campaign exposes the evolving tactics of threat actors targeting businesses in Latin America. While for successful malicious payload delivery, they use:-

Deceptive phishing emails

Intricate redirect mechanisms

Domain diversification

Moreover, the use of Amazon EC2 and dynamic file names shows their persistence in compromising systems and also the capability to adapt.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

The post Multi-stage TOITOIN Trojan Abusing Amazon EC2 Instances to Evade Detections appeared first on Cyber Security News.

   Read More 

Cyber Security News