HomeCyber BalkansTicTacToe Malware Dropper Targeting Windows Users

TicTacToe Malware Dropper Targeting Windows Users

Published on

spot_img

The widespread popularity of the Windows operating system has made it a prime target for malware attacks, given its large user base and security vulnerabilities. In 2023, the FortiGuard team uncovered a group of malware droppers delivering various final-stage payloads, which raised concerns about cyber threats targeting Windows systems. The droppers, known as ‘TicTacToe dropper,’ utilized multiple stages of obfuscated payloads, including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos.

These droppers were identified by a standard Polish language string, ‘Kolko_i_krzyzyk,’ interpreting TicTacToe. In a technical analysis, security analysts found that the dropper samples delivered malware via .iso files in phishing attachments, which helped conceal the malware and evaded antivirus detection. The dropper consistently shared various remote access tools (RATs) for over a year, creating a significant security concern.

The experts extracted a 32-bit .NET executable file ‘ALco.exe,’ which loaded a .NET PE DLL file directly into memory without disk writing upon execution. This DLL, named ‘Hadval.dll’ or ‘stage2 payload,’ was obfuscated with DeepSea 4.1 and contained unreadable function names and code flow obfuscation. Despite the complexity of the obfuscation, an open-source .NET de-obfuscator, De4dot, successfully subverted the DeepSea 4.1 obfuscation in Hadval.dll, providing a cleaner version using C#.

During the debugging of ‘ALco.exe,’ security analysts found that Hadval.dll extracted a gzip blob, revealing a 32-bit PE DLL (‘cruiser.dll’) protected by SmartAssembly. SmartAssembly safeguards .NET code from reverse engineering, but this protection was subverted using the ‘Detect It Easy’ tool, exposing a ‘Munoz’ class that created a copy of the executable in the temp folder. The cruiser.dll code then extracted and executed the stage 4 payload (‘Farinell2.dll’) from the bitmap object ‘dZAu.’ Antivirus engines recognized the final payload as ‘Zusy Banking Trojan’ or ‘Leonem,’ posing a significant threat to Windows users.

The analysis also revealed several similarities in the different TicTacToe dropper samples, including multi-stage layered payloads, obfuscation using SmartAssembly software, nesting of DLL files to unpack obfuscated payloads, and reflective loading of payload stages. With the dropper serving various payloads, it is essential to understand and prevent its execution to stop various types of payloads.

This discovery underscores the ongoing threat that malware poses to Windows users and the need for robust cybersecurity measures to protect against such attacks. As threat actors continue to exploit vulnerabilities in popular operating systems, organizations and individuals must remain vigilant and implement proactive security strategies to safeguard their systems and data. The findings also highlight the importance of ongoing research and collaboration among cybersecurity professionals to stay ahead of evolving cyber threats and ensure the resilience of digital infrastructure.

Source link

Latest articles

Zoom addresses account takeover vulnerability

Zoom Tackles Security Vulnerabilities in Key Software Products Zoom Video Communications recently addressed serious security...

Your VPN Has Become an Attackers’ Front Door

Rethinking VPNs in Today’s Cybersecurity Landscape In the rapidly evolving world of cybersecurity, organizations are...

Two Young Hackers Sentenced for Disrupting London Underground

Police Declare Success After Arrests "Effectively Halted" Scattered Spider Cybercrime Collective In a significant development...

Inside Microsoft’s Record-Breaking Release of 622 Bugs

Microsoft's Record-Breaking Security Update Addresses Urgent Vulnerabilities On July 14, 2026, Microsoft announced an unprecedented...

More like this

Zoom addresses account takeover vulnerability

Zoom Tackles Security Vulnerabilities in Key Software Products Zoom Video Communications recently addressed serious security...

Your VPN Has Become an Attackers’ Front Door

Rethinking VPNs in Today’s Cybersecurity Landscape In the rapidly evolving world of cybersecurity, organizations are...

Two Young Hackers Sentenced for Disrupting London Underground

Police Declare Success After Arrests "Effectively Halted" Scattered Spider Cybercrime Collective In a significant development...