The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Researchers analyzed a targeted LATAM campaign that delivers the TOITOIN trojan via multi-stage modules, using phishing redirects, randomized ZIP payloads hosted on Amazon EC2, DLL sideloading, process injection, and a COM Elevation Moniker UAC bypass. The final TOITOIN backdoor decodes an XOR‑obfuscated INI to get C2 URLs, harvests system and browser details (including Topaz OFD presence), and exfiltrates them to attacker servers. #TOITOIN #AmazonEC2

Keypoints

Campaign targets businesses in the LATAM region using phishing emails that redirect victims to domains which serve randomized ZIP archives hosted on Amazon EC2.
Initial downloader (HCEMH…exe) performs reverse/XOR string decryption, creates persistence via dynamically named .LNK in Startup, and restarts the system to evade sandboxes.
Signed binary (icepdfeditor.exe) is used for DLL side‑loading of the Krita Loader (ffmpeg.dll), which decodes embedded data (from JPG files) and drops a PE Loader (InjectorDLL) into memory.
InjectorDLL decodes and injects ElevateInjectorDLL into explorer.exe using OpenProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThread; ElevateInjectorDLL performs parent‑process checks and process hollowing.
When not elevated, the chain launches a BypassUAC module that abuses the COM Elevation Moniker and elevated COM objects to copy cmd.exe, spawn an elevated process, and execute the signed sideloading binary with admin rights.
The final TOITOIN trojan reads a reversed hex INI, uses custom XOR to decrypt the C2 URL(s), collects Windows version, drive, installed browsers and Topaz OFD info, and exfiltrates encoded data to C2 (curl POST fallback if INI absent).
Zscaler researchers recovered multiple IOCs (hashes, domains, IPs) and an open attacker directory hosting stager modules dating back to March 2023.

MITRE Techniques

[T1566] Phishing – Used as the initial lure via a payment notification email that redirects the victim to download a malicious ZIP (‘…initial compromise phishing email.’).
[T1064] Scripting – Batch and VBScript are created and executed to write startup .LNK files and launch payloads (‘…the batch script writes and executes a VBScript within the temp directory.’).
[T1037] Startup Items – Persistence via dynamically named .LNK file placed in the Startup folder to run the signed binary at boot (‘…creating a shortcut (.LNK) file in the startup folder.’).
[T1055] Process Injection – Multiple modules inject code into explorer.exe and svchost.exe using OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread (‘…injected into the remote process “explorer.exe.”‘).
[T1018] Remote System Discovery – The malware queries system environment and registry to gather Windows version and other system details prior to exfiltration (‘…gathers crucial system information…’).
[T1082] System Information Discovery – TOITOIN reads registry ProductName and environment variables to determine OS, drive, and bitness (‘…fetches the Windows version by querying the ProductName registry key value’).
[T1083] File and Directory Discovery – The trojan checks for installed browsers and Topaz OFD by verifying paths and files on disk (‘…checks if specific web browsers are installed on the system by verifying the existence of corresponding folders and files.’).
[T1548.002] Bypass UAC: CM Elevation Moniker – BypassUAC uses the COM Elevation Moniker and elevated COM objects (CLSID values) to execute commands with admin privileges (‘…leverages the COM Elevation Moniker “Elevation:Administrator!new:” along with specific elevated COM Objects.’).
[T1574.002] DLL Side‑Loading – A signed Zoho binary is abused to sideload the malicious Krita Loader DLL from the current directory (‘…sideloads the malicious Krita Loader DLL “ffmpeg.dll” from the current directory’).
[T1055.012] Process Hollowing – ElevateInjectorDLL performs process hollowing to inject BypassUAC into a suspended explorer.exe for privilege escalation (‘…performs process hollowing, and injects either the TOITOIN Trojan or BypassUAC module based on process privileges.’).

Indicators of Compromise

[File Hash] downloader & modules – 8fc3c83b88a3c65a749b27f8439a8416 (downloader), 7871f9a0b4b9c413a8c7085983ec9a72 (TOITOIN Trojan), and 4 more hashes.
[Domains/URLs] delivery & C2 – http[:]//cartolabrasil[.]com (payload host), http[:]//afroblack[.]shop/CasaMoveisClienteD.php (C2 endpoint), and other delivery domains like alemaoautopecas[.]com.
[IP/Host] infrastructure – 191[.]252[.]203[.]222/Up/indexW.php (open directory with stagers), 179[.]188[.]38[.]7 (observed C2 IP).
[File Names] payloads & sideloading – HGATH33693LQEMJ.zip (downloaded archive), HCEMH.hqdrm.63130.exe (downloader), icepdfeditor.exe (signed binary used for DLL sideloading), ffmpeg.dll (malicious Krita Loader DLL).

In technical sequence: a phishing email redirects victims through intermediary domains to randomized ZIP archives hosted on Amazon EC2; the ZIP contains a downloader executable that uses a reverse‑concatenate + XOR string decryptor to obtain URLs, file names, and paths, writes a batch and VBScript to place a dynamically named .LNK in Startup, downloads multiple encrypted payloads (served as .mp3), writes them to Public Documents with dynamic names, creates an INI with encoded payload metadata, and forces a reboot to evade sandboxes so the LNK triggers the signed binary.

On reboot the signed Zoho binary (icepdfeditor.exe) is executed and side‑loads ffmpeg.dll (Krita Loader) from the current directory; the loader decodes embedded data from reverse‑encoded JPG blobs and base64 decodes a PE (InjectorDLL) into memory. InjectorDLL decodes another stage and injects ElevateInjectorDLL into explorer.exe using OpenProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThread; ElevateInjectorDLL performs parent process/mutex checks for sandbox evasion, then if not elevated it uses process hollowing to inject the BypassUAC module into a suspended explorer.exe.

BypassUAC leverages the COM Elevation Moniker (“Elevation:Administrator!new:”) and elevated COM objects (CLSID {3AD05575-8857-4850-9277-11B85BDB8E09} and {BDB57FF2-79B9-4205-9447-F5FE85F37312}) to copy cmd.exe with admin rights, spawn an elevated helper ([1]bdeunlock.exe) and launch the signed binary elevated, enabling admin sideloading of the Krita Loader. With elevation the flow decrypts the final TOITOIN payload, injects it into svchost.exe, the trojan reads the reversed hex INI, XOR‑decrypts C2 URLs (examples: afroblack[.]shop, bragancasbrasil[.]com), collects OS, browser and Topaz OFD presence, encodes that data and exfiltrates it to C2 (with curl POST fallback if INI absent).