Toitoin

The Toitoin malware is a sophisticated, multi-stage cyberattack campaign targeting businesses in the Latin American (LATAM) region. The attack begins with a phishing email containing a malicious ZIP archive that stealthily downloads onto the victim's system. It then deploys several modules, including Downloader module, Krita loader DLL, InjectorDLL module, ElevateInjectorDLL module, and BypassUAC Module, to infiltrate defenses. These modules are designed to evade detection by sandboxes, perform process hollowing, inject either the Toitoin Trojan or BypassUAC module based on process privileges, and ultimately deploy the Toitoin Trojan. This Trojan follows a six-stage attack plan, each stage custom-designed for specific malicious activities. These include injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection through techniques such as system reboots and parent process checks. The ultimate payload of this campaign is the Toitoin Trojan itself, which uses a unique XOR decryption technique to decode its configuration file. Toitoin exfiltrates critical system information, including computer names, Windows versions, installed browsers, and other relevant data, sending it back to the attackers. It adapts its behavior based on the information it collects and the detected presence of the Topaz OFD - Protection Module. This ensures the final payload, Toitoin, is executed with elevated privileges. As researchers have noted, sophisticated malware campaigns like Toitoin demand a similar response from targeted organizations, requiring comprehensive inspections to identify and block malicious emails, phishing attempts, and suspicious URLs associated with such campaigns.