Furthermore, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region. TOITOIN comes with capabilities to gather system information as well as harvest data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox, and Opera. "This technique allows the malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities," the researchers explained. Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Shield Against Insider Threats: Master SaaS Security Posture Management Included among the fetched payloads is "icepdfeditor.exe," a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL ("ffmpeg.dll") codenamed the Krita Loader.
This is done so as to "evade sandbox detection since the malicious actions occur only after the reboot," the researchers said. The downloader is also responsible for generating a Batch script that restarts the system after a 10-second timeout.
#Ffmpeg krita archive#
Within the ZIP archive is a downloader executable that's engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files. The email messages leverage an invoice-themed lure to trick unwitting recipients into opening them, thereby activating the infection. The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections.
"These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks." "This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week. Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023.
0 kommentar(er)
