New TicTacToe Malware Dropper Attacking Windows Users

Malware often targets Windows users due to the operating system’s widespread popularity, making it a lucrative target for threat actors. 

Windows systems have historically been perceived as more vulnerable due to their larger user base and most security vulnerabilities.

The FortiGuard team recently discovered a cluster of malware droppers delivering various final-stage payloads in 2023. 

In a report shared with Cyber Security News (CSN), Fortinet affirmed these droppers use multiple stages of obfuscated payloads, with some identified payloads including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. 

Named ‘TicTacToe dropper,’ the group is identified by a standard Polish language string, ‘Kolko_i_krzyzyk,’ interpreting TicTacToe.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Technical analysis

Security analysts found dropper samples delivering malware via .iso files in phishing attachments (T1566.001). This technique helps hide malware in iso files that aim to evade antivirus detection and use mark-of-the-web bypass (T1553.005). 

The ISO contained an executable that had layered DLL files that were decoded at runtime, and besides this, the extraction process is complicated.

TicTacToe dropper extraction process (Source - Fortinet)TicTacToe dropper extraction process (Source - Fortinet)
TicTacToe dropper extraction process (Source – Fortinet)

The dropper consistently shared various remote access tools (RATs) for over a year. The initial sample, ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb), is a 32-bit .NET executable. Upon execution, it loads a .NET PE DLL file directly into memory without disk writing.

Extracting the PE DLL file from the dropper EXE in the tool dnSpy (Source – Fortinet)

The experts extracted the DLL at runtime by naming it ‘Hadval.dll’ or ‘stage2 payload.’ This 32-bit .NET PE DLL is obfuscated with DeepSea 4.1 and has unreadable function names and code flow obfuscation distinct from the primary executable’s obfuscation (undetermined version).

Obfuscated code of Hadval.dll shown in the dnSpy tool (Source – Fortinet)

An open-source .NET de-obfuscator, De4dot successfully subverted DeepSea 4.1 obfuscation in Hadval.dll. The tool detected and de-obfuscated the file by providing a cleaner version using C#.

De-obfuscating intermediate payload hadval.dll (Source – Fortinet)

While debugging ‘ALco.exe,’ security analysts found that Hadval.dll extracts a gzip blob by revealing a 32-bit PE DLL (‘cruiser.dll’) protected by SmartAssembly. 

SmartAssembly safeguards .NET code from reverse engineering using obfuscation and encryption that prevent intellectual property theft. However, this info is visible using the ‘Detect It Easy’ tool.

Detect Easy (Source – Fortinet)

De4dot cleaned the cruiser.dll file by revealing a ‘Munoz’ class that creates a copy of the executable in the temp folder, and this payload aligns with the one analyzed by Jai Minton.

The cruiser.dll code extracts and executes the stage 4 payload (‘Farinell2.dll’) from the bitmap object ‘dZAu.’

Antivirus engines recognized the final payload as ‘Zusy Banking Trojan’ or ‘Leonem,’ also known as ‘TinyBanker’ or ‘Tinba’ by some researchers.

Similarities

Here below, we have mentioned all the similarities in the different TicTacToe dropper samples:-

  • Multi-stage layered payloads.
  • Dropper payloads all .NET executables/libraries.
  • One or more payloads obfuscated using SmartAssembly software.
  • Nesting of DLL files used to unpack obfuscated payloads.
  • All payload stages were loaded reflectively.
  • Most primary .NET payloads had internal names with a combination of 3 to 8 letters in varying cases.
  • Many samples had standard strings for the month they were delivered.
  • Some of the samples try to create a copy of itself.

Since the dropper serves various payloads, it’s obvious to have a diverse user base. However, it’s essential to understand and prevent its execution to stop various types of payloads.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at a…

12 hours ago

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to deploy…

12 hours ago

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid ongoing…

12 hours ago

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology platform…

13 hours ago

Tsunami Malware Surge: Blending Miners and Credential Stealers in Active Attacks

Security researchers have recently discovered a sophisticated malware operation called the "Tsunami-Framework" that combines credential…

13 hours ago

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape where…

13 hours ago