8.8 C
Monday, February 19, 2024

New TicTacToe Malware Dropper Attacking Home windows Customers

Malware typically targets Home windows customers as a result of working system’s widespread reputation, making it a profitable goal for risk actors. 

Home windows techniques have traditionally been perceived as extra susceptible as a result of their bigger person base and nearly all of safety vulnerabilities.

The FortiGuard staff just lately found a cluster of malware droppers delivering varied final-stage payloads in 2023. 

In a report shared with Cyber Safety Information (CSN), Fortinet affirmed these droppers use a number of levels of obfuscated payloads, with some recognized payloads together with Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. 

Named ‘TicTacToe dropper,’ the group is recognized by a typical Polish language string, ‘Kolko_i_krzyzyk,’ deciphering TicTacToe.


Stay Account Takeover Assault Simulation

Stay assault simulation Webinar demonstrates varied methods through which account takeover can occur and practices to guard your web sites and APIs towards ATO assaults.

Technical evaluation

Safety analysts discovered dropper samples delivering malware through .iso recordsdata in phishing attachments (T1566.001). This system helps in hiding malware in iso recordsdata that purpose to evade antivirus detection and use mark-of-the-web bypass (T1553.005). 

The ISO contained an executable that had layered DLL recordsdata that had been decoded at runtime, and in addition to this, the extraction course of is difficult.

TicTacToe dropper extraction process (Source - Fortinet)
TicTacToe dropper extraction course of (Supply – Fortinet)

The dropper constantly shared varied distant entry instruments (RATs) for over a 12 months. The preliminary pattern, ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb), is a 32-bit .NET executable. Upon execution, it hundreds a .NET PE DLL file immediately into reminiscence with out disk writing.

Extracting the PE DLL file from the dropper EXE in the tool dnSpy (Source - Fortinet)
Extracting the PE DLL file from the dropper EXE within the device dnSpy (Supply – Fortinet)

The consultants extracted the DLL at runtime by naming it ‘Hadval.dll’ or ‘stage2 payload.’ This 32-bit .NET PE DLL is obfuscated with DeepSea 4.1 and has unreadable perform names and code stream obfuscation distinct from the first executable’s obfuscation (undetermined model).

Obfuscated code of Hadval.dll shown in the dnSpy tool (Source - Fortinet)
Obfuscated code of Hadval.dll proven within the dnSpy device (Supply – Fortinet)

An open-source .NET de-obfuscator, De4dot efficiently subverted DeepSea 4.1 obfuscation in Hadval.dll. The device detected and de-obfuscated the file by offering a cleaner model utilizing C#.

De-obfuscating intermediate payload hadval.dll (Source - Fortinet)
De-obfuscating intermediate payload hadval.dll (Supply – Fortinet)

Whereas debugging ‘ALco.exe,’ safety analysts discovered that Hadval.dll extracts a gzip blob by revealing a 32-bit PE DLL (‘cruiser.dll’) which was protected by SmartAssembly. 

SmartAssembly safeguards .NET code from reverse engineering utilizing obfuscation and encryption that stop mental property theft. Nonetheless, this data is seen utilizing the ‘Detect It Straightforward’ device.

Detect Easy (Source - Fortinet)
Detect Straightforward (Supply – Fortinet)

De4dot cleaned the cruiser.dll file by revealing a ‘Munoz’ class that creates a duplicate of the executable within the temp folder, and this payload aligns with the one analyzed by Jai Minton.

The cruiser.dll code extracts and executes the stage 4 payload (‘Farinell2.dll’) from the bitmap object ‘dZAu.’

Antivirus engines acknowledged the ultimate payload as ‘Zusy Banking Trojan’ or ‘Leonem,’ often known as ‘TinyBanker’ or ‘Tinba’ by some researchers.


Right here under, we’ve talked about all of the similarities within the totally different TicTacToe dropper samples:-

  • Multi-stage layered payloads.
  • Dropper payloads all .NET executables/libraries.
  • A number of payloads obfuscated utilizing SmartAssembly software program.
  • Nesting of DLL recordsdata used to unpack obfuscated payloads.
  • All payload levels had been loaded reflectively.
  • Most main .NET payloads had inner names with a mixture of three to eight letters in various circumstances.
  • Many samples had frequent strings for the month they had been delivered.
  • Among the samples attempt to create a duplicate of itself.

Because the dropper serves varied payloads, it’s apparent to have a various person base. Nonetheless, it’s important to know and forestall its execution to cease varied varieties of payloads.

Keep up to date on Cybersecurity information, Whitepapers, and Infographics. Observe us on LinkedIn & Twitter.

Latest news
Related news


Please enter your comment!
Please enter your name here