Toitoin Trojan

The Toitoin Trojan is a sophisticated piece of malware that has been found to be part of a persistent campaign targeting businesses in the LATAM region. This malicious software infiltrates systems, often undetected, through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, and transmit encoded system information, browser details, and Topaz OFD Protection Module information to its Command & Control (C&C) server located at http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php. The Trojan operates by leveraging decrypted strings and performing checks on the system's Windows version, installed browsers, and the presence of the Topaz OFD - Protection Module. It adapts its behavior based on these factors. The InjectorDLL component of the Trojan injects ElevateInjectorDLL into the "explorer.exe" process. If necessary, it carries out a User Account Control (UAC) bypass to elevate the process privileges. Subsequently, the Toitoin Trojan is decrypted and injected into the "svchost.exe" process, as depicted in Figure 25. If the Trojan cannot locate the INI configuration file containing the URL to the C&C server, it resorts to sending the system information through a curl command. The final payload of the Toitoin Trojan uses custom XOR decryption routines to decode the configuration file containing the C&C server's URL. This Trojan represents a significant threat to businesses due to its ability to adapt based on the system's characteristics and its persistence in maintaining communication with its C&C server.