Latin American businesses subjected to novel TOITOIN banking trojan attacks

Attacks with the novel TOINTOIN banking trojan have been deployed against the Windows systems of businesses in Latin America since May, according to The Hacker News. Threat actors commence the intrusions through phishing emails that include a link redirecting to an Amazon EC2-hosted ZIP archive, which enables persistence through an LNK file in the Windows Startup folder before retrieving six additional payloads as MP3 files from a remote server, a report from Zscaler revealed. Execution of the fetched valid ZOHO signed binary would prompt the sideloading of a rogue Krita Loader DLL that then deploys the InjectorDLL module before leading to the delivery of TOINTOIN, which does not only collect browser-stored information but also monitors Topaz Online Fraud Detection system presence in targeted devices. "Through deceptive phishing emails, intricate redirect mechanisms, and domain diversification, the threat actors successfully deliver their malicious payload... The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods," said researchers.