TOITOIN Trojan targets Latin American businesses in a multi-stage attack

SISA Weekly Threat Watch - 17 July 2023

The increasing sophistication and evasiveness of modern cyber threats have become an important concern for organizations worldwide. Last week witnessed a range of such cyberattacks, including a significant Linux kernel flaw enabling privilege escalation, phishing campaigns leveraging new malware strains, targeted Office zero-day attacks, and the emergence of fileless malware targeting cloud workloads for cryptocurrency mining. These attacks highlight the evolving tactics employed by threat actors, emphasizing the need for organizations to strengthen their cybersecurity measures and remain vigilant against the ever-changing threat landscape.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. StackRot: A new Linux kernel flaw allows privilege escalation

The security flaw, known as StackRot is a significant vulnerability that affects several Linux kernel versions and can be leveraged to raise privileges and attack the kernel. The flaw affects the kernel’s memory management subsystem, a component in charge with implementing the virtual memory and demand paging, memory allocation for the kernel’s needs and the user space programs, as well as mapping files into the processes’ address space.

Specifically, the weak spot is in “maple tree,” a new data structure system for VMAs introduced in Linux kernel 6.1 that replaced the “red-black trees” and relied on the read-copy-update (RCU) mechanism. The vulnerability is a use-after-free (UAF) problem stemming from the way stack expansion was handled, because the maple tree could replace a node without obtaining the memory management (MM) write lock. Patches have been made available for the vulnerable stable kernels with the release of versions 6.1.37, 6.3.11, and 6.4.1.

2. Charming Kitten APT group expands tactics with NokNok malware

Security researchers have linked the Charming Kitten APT group to a recent phishing campaign using a new malware strain called NokNok. Posing as U.S. nuclear experts, the hackers employed social engineering and phishing techniques to target individuals, offering to review foreign policy drafts. Once trust was established, victims were sent a malicious link embedded with a Google Script macro. This redirected them to a Dropbox URL containing a password protected RAR archive. Inside, a malware dropper utilized PowerShell code and an LNK file to prepare the malware from a cloud hosting provider.

The final payload deployed was GorjolEcho, a backdoor allowing remote command execution. For macOS users, a different link hosted a ZIP file posing as a RUSI (Royal United Services Institute) VPN app. Executing the included Apple script triggered a curl command, fetching the NokNok payload and establishing a backdoor. The NokNok malware gathers various system information such as the operating system version, running processes, and installed applications. This collected data is encrypted and encoded in base64 format before being exfiltrated. To protect critical assets and data, organizations should maintain up-to-date systems and software, employ strong email security measures, and implement robust endpoint protection.

3. Microsoft warns of Office zero-day attacks

An urgent warning from Microsoft claimed that Russian spies and fraudsters are actively using security flaws in Windows and Office products that have not yet been fixed. According to Microsoft, the CVE-2023-36884 bug was exploited recently in attacks against organizations attending the NATO Summit in Vilnius, Lithuania. The malware payloads, which included the MagicSpell loader and the RomCom backdoor, were installed by the attackers via fraudulent documents that seemed to be from the Ukrainian World Congress organization.

It may be effectively abused by creating a malicious .docx or.rtf document that is intended to take advantage of the vulnerability and launch a remote code execution (RCE)-based attack. A vulnerable version of MSDT is used to run the specially generated document in order to do this, which then enables an attacker to provide a command to the utility for execution. While the flaw is not yet addressed, Microsoft says it will provide customers with patches via the monthly release process or an out-of-band security update. In current attack chains, the use of the ‘Block all Office applications from creating child processes’ Attack Surface Reduction Rule can prevent the vulnerability from being exploited.

4. TOITOIN Trojan: A sophisticated multi-stage attack targeting LATAM businesses

A sophisticated malware campaign targeting Latin American businesses has been discovered, introducing the TOITOIN Trojan. This multi-stage attack begins with convincing phishing emails that lead to initial compromise. Custom modules are used at each stage to perform malicious activities, such as injecting harmful code into remote processes, bypassing User Account Control (UAC) using COM Elevation Moniker, and evading sandbox detection through system reboots and parent process checks.

Phishing emails use invoice-themed lures to deceive recipients. Inside the attached ZIP archive, a downloader executable establishes persistence by creating an LNK file in the Windows Startup folder. The downloader communicates with a remote server to retrieve six next-stage payloads in the form of MP3 files. One payload, “icepdfeditor.exe,” a valid signed binary, loads a rogue DLL called “ffmpeg.dll” (Krita Loader). This loader decodes a downloaded JPG file and launches the InjectorDLL module, injecting the ElevateInjectorDLL module into “explorer.exe.” UAC bypass is performed if needed, followed by decryption and injection of the TOITOIN Trojan into “svchost.exe.” To effectively counter these evolving malware campaigns, organizations must maintain vigilance, implement robust security protocols like Network Segmentation, Least Privilege Principle, Endpoint Protection and User Account Control (UAC) and regularly update their security systems to protect against the ever-changing threat landscape.

5. Python-based Fileless malware PyLoose exploits cloud workloads for cryptocurrency mining

Researchers have discovered a new fileless malware called PyLoose, which specifically targets cloud workloads. This Python-based malware incorporates a compressed and encoded XMRig miner injected into system memory using a Linux fileless technique. The method of dissemination for PyLoose is undisclosed, but researchers speculate that threat actors exploited a publicly accessible Jupyter Notebook service for initial network entry.

Unlike traditional malware, fileless malware attacks do not rely on executable files, allowing attackers to avoid detection while deploying the XMRig miner. Operating in system memory makes it challenging for security teams to investigate as many detection systems monitor file actions. As fileless malware attacks continue to rise, organizations must invest in advanced security solutions such as Intrusion Detection and Prevention Systems (IDPS) and Advanced Endpoint Protection as well as adopt robust defenses in runtime environments to effectively detect and prevent such threats.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider