New TicTacToe Malware Dropper Attacking Windows Users

Malware often targets Windows users due to the operating system’s widespread popularity, making it a lucrative target for threat actors. 

Windows systems have historically been perceived as more vulnerable due to their larger user base and most security vulnerabilities.

The FortiGuard team recently discovered a cluster of malware droppers delivering various final-stage payloads in 2023. 

In a report shared with Cyber Security News (CSN), Fortinet affirmed these droppers use multiple stages of obfuscated payloads, with some identified payloads including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. 

Named ‘TicTacToe dropper,’ the group is identified by a standard Polish language string, ‘Kolko_i_krzyzyk,’ interpreting TicTacToe.

Technical analysis

Security analysts found dropper samples delivering malware via .iso files in phishing attachments (T1566.001). This technique helps hide malware in iso files that aim to evade antivirus detection and use mark-of-the-web bypass (T1553.005). 

The ISO contained an executable that had layered DLL files that were decoded at runtime, and besides this, the extraction process is complicated.

The dropper consistently shared various remote access tools (RATs) for over a year. The initial sample, ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb), is a 32-bit .NET executable. Upon execution, it loads a .NET PE DLL file directly into memory without disk writing.

The experts extracted the DLL at runtime by naming it ‘Hadval.dll’ or ‘stage2 payload.’ This 32-bit .NET PE DLL is obfuscated with DeepSea 4.1 and has unreadable function names and code flow obfuscation distinct from the primary executable’s obfuscation (undetermined version).

An open-source .NET de-obfuscator, De4dot successfully subverted DeepSea 4.1 obfuscation in Hadval.dll. The tool detected and de-obfuscated the file by providing a cleaner version using C#.

While debugging ‘ALco.exe,’ security analysts found that Hadval.dll extracts a gzip blob by revealing a 32-bit PE DLL (‘cruiser.dll’) protected by SmartAssembly. 

SmartAssembly safeguards .NET code from reverse engineering using obfuscation and encryption that prevent intellectual property theft. However, this info is visible using the ‘Detect It Easy’ tool.

De4dot cleaned the cruiser.dll file by revealing a ‘Munoz’ class that creates a copy of the executable in the temp folder, and this payload aligns with the one analyzed by Jai Minton.

The cruiser.dll code extracts and executes the stage 4 payload (‘Farinell2.dll’) from the bitmap object ‘dZAu.’

Antivirus engines recognized the final payload as ‘Zusy Banking Trojan’ or ‘Leonem,’ also known as ‘TinyBanker’ or ‘Tinba’ by some researchers.

Similarities

Here below, we have mentioned all the similarities in the different TicTacToe dropper samples:-

• Multi-stage layered payloads.
• Dropper payloads all .NET executables/libraries.
• One or more payloads obfuscated using SmartAssembly software.
• Nesting of DLL files used to unpack obfuscated payloads.
• All payload stages were loaded reflectively.
• Most primary .NET payloads had internal names with a combination of 3 to 8 letters in varying cases.
• Many samples had standard strings for the month they were delivered.
• Some of the samples try to create a copy of itself.

Since the dropper serves various payloads, it’s obvious to have a diverse user base. However, it’s essential to understand and prevent its execution to stop various types of payloads.