The widespread popularity of the Windows operating system has made it a prime target for malware attacks, given its large user base and security vulnerabilities. In 2023, the FortiGuard team uncovered a group of malware droppers delivering various final-stage payloads, which raised concerns about cyber threats targeting Windows systems. The droppers, known as ‘TicTacToe dropper,’ utilized multiple stages of obfuscated payloads, including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos.
These droppers were identified by a standard Polish language string, ‘Kolko_i_krzyzyk,’ interpreting TicTacToe. In a technical analysis, security analysts found that the dropper samples delivered malware via .iso files in phishing attachments, which helped conceal the malware and evaded antivirus detection. The dropper consistently shared various remote access tools (RATs) for over a year, creating a significant security concern.
The experts extracted a 32-bit .NET executable file ‘ALco.exe,’ which loaded a .NET PE DLL file directly into memory without disk writing upon execution. This DLL, named ‘Hadval.dll’ or ‘stage2 payload,’ was obfuscated with DeepSea 4.1 and contained unreadable function names and code flow obfuscation. Despite the complexity of the obfuscation, an open-source .NET de-obfuscator, De4dot, successfully subverted the DeepSea 4.1 obfuscation in Hadval.dll, providing a cleaner version using C#.
During the debugging of ‘ALco.exe,’ security analysts found that Hadval.dll extracted a gzip blob, revealing a 32-bit PE DLL (‘cruiser.dll’) protected by SmartAssembly. SmartAssembly safeguards .NET code from reverse engineering, but this protection was subverted using the ‘Detect It Easy’ tool, exposing a ‘Munoz’ class that created a copy of the executable in the temp folder. The cruiser.dll code then extracted and executed the stage 4 payload (‘Farinell2.dll’) from the bitmap object ‘dZAu.’ Antivirus engines recognized the final payload as ‘Zusy Banking Trojan’ or ‘Leonem,’ posing a significant threat to Windows users.
The analysis also revealed several similarities in the different TicTacToe dropper samples, including multi-stage layered payloads, obfuscation using SmartAssembly software, nesting of DLL files to unpack obfuscated payloads, and reflective loading of payload stages. With the dropper serving various payloads, it is essential to understand and prevent its execution to stop various types of payloads.
This discovery underscores the ongoing threat that malware poses to Windows users and the need for robust cybersecurity measures to protect against such attacks. As threat actors continue to exploit vulnerabilities in popular operating systems, organizations and individuals must remain vigilant and implement proactive security strategies to safeguard their systems and data. The findings also highlight the importance of ongoing research and collaboration among cybersecurity professionals to stay ahead of evolving cyber threats and ensure the resilience of digital infrastructure.