TicTacToe Dropper

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows Users
Impact: This loader has been used to load multiple RATs and info stealers, which can lead to compromised credentials and enable further malicious activities
Severity Level: Medium

Executive Summary

While analyzing malware samples collected from several victims, the FortiGuard team identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023. Malware droppers are malicious software designed to deliver and execute additional malware on a victim system and are employed to obfuscate final payloads during load and initial execution.

Droppers within this group employ multiple stages of obfuscated payloads loading reflectively in memory. Some of the final stage payloads we identified include Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. We have named this group of payloads ‘TicTacToe dropper’ due to a common Polish language string, ‘Kolko_i_krzyzyk,’ found in multiple earlier samples of the dropper, which translates to TicTacToe in English. While not all versions of this group of droppers contain this string, commonalities in their behavior led us to this grouping.

TicTacToe Dropper Analysis

We analyzed multiple samples of this dropper. The executable malware file was usually delivered through an .iso file. From cases directly observed in the wild, these iso files were delivered to the victim via phishing as an attachment (T1566.001). This technique of packing malware inside an iso file is typically employed to avoid detection by antivirus software and as a mark-of-the-web (MOTW) bypass technique (T1553.005). The executable inside the iso had multiple layers of DLL files, which were extracted at runtime and loaded directly into memory. One layer of DLL was decoded at runtime, and the next layer of DLL was loaded and decoded by the previous layer of the DLL file. We will discuss the extraction of these obfuscated payloads in a later section. The extraction process is convoluted, so the diagram below should be referenced alongside the analysis to better understand the behavior of the dropper.

We found that the same dropper has been used to distribute multiple final-stage remote access tools (RATs) for at least the last 12 months. This is shown in the following timeline diagram:

To better understand the TicTacToe dropper, we performed static and dynamic analysis on several samples.

Obfuscated payload extraction

The first TicTacToe dropper sample analyzed is a 32-bit executable developed in the .NET programming language called ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb). Analysis of the sample identified that, on execution, the dropper extracts and loads a .NET PE DLL file directly into its current process using a runtime assembly object. This means the file is loaded directly into memory without being written to disk. The code associated with this in-memory loading can be seen in Figure 3.

We then extracted the DLL at runtime and saved it as a separate file. This extracted DLL file was named ‘Hadval.dll’ in the OriginalFileName field in the file's version information. In this article, we will call this file ‘Hadval.dll’ or ‘stage2 payload’ for reference. This Hadval.dll file is a 32-bit .NET PE DLL file.

This DLL file was obfuscated with version 4.1 of the DeepSea software, which differs from what was used to obfuscate the main executable (as yet undetermined). The DeepSea obfuscation resulted in unreadable function names and clear indicators of code flow obfuscation, as shown in Figure 2.

The de4dot tool was used to subvert some of the DeepSea obfuscation. The de4dot tool is an open source (GPLv3) .NET de-obfuscator and unpacker written in C# that can often be used to restore a packed and obfuscated assembly to almost the original assembly. The de4dot tool detected that the file was obfuscated using the tool DeepSea 4.1 and then de-obfuscated much of the library to provide a cleaner version of the Hadval.dll file. We can see the output of the de4dot tool execution in Figure 5 and some of the cleaner, more readable code in Figure 6.

Performing further debugging of the ‘ALco.exe’ process, we identified that the Hadval.dll code is used to extract a gzip blob. Decompressed, this gzip blob revealed another 32-bit PE DLL file and another .NET library. This stage 3 payload has the internal file name ‘cruiser.dll.’ This cruiser.dll was protected by software called SmartAssembly, which is software provided by Redgate to protect .NET code from reverse engineering. This software claims to protect the source code of .NET applications through obfuscation and encryption and is designed to prevent intellectual property theft through code analysis. The tool ‘Detect It Easy’ shows this information, as seen in Figure 7.

Multiple layered payload

This cruiser.dll file was de-obfuscated using the de4dot tool to create a cleaned version of the binary DLL file. Following this de-obfuscation, we can see that the cruiser.dll file has a class named ‘Munoz.’ This class contains a function that creates a copy of the executable in the temp folder. This payload matches the description of a payload with the same name, ‘cruiser.dll,’ as described in Jai Minton's blog, where he analyzed it. We can see the code from the cleaned cruiser.dll file in Figure 8, including the ‘Munoz’ class.

The code from the stage 3 DLL file (cruiser.dll) extracts, reflectively loads, and executes the stage 4 payload from the bitmap object ‘dZAu’ (a resource from the main payload). The stage 4 payload is another .NET PE DLL file with the internal name 'Farinell2.dll.’ It is obfuscated with a custom obfuscator. This stage 4 payload (Farinell2.dll) then de-obfuscates, reflectively loads, and executes the final payload. We have seen multiple variants of this dropper with different types of final payloads (e.g., Lokibot to gain credentials from numerous browsers and software in the victim machine, Remcos for remote access, etc.)

Analysis of a different TicTacToe sample

Analyzing another TicTacToe dropper allows us to document some common characteristics within the malware group. This executable (SHA1: 15b3c9768a67ce0d09807627f1939c7165a3fede) was also a 32-bit .NET executable with the internal name ‘IxOQ.exe.’ This executable was not obfuscated but shares similarities with the above variant, i.e., later-stage obfuscated payloads embedded as object resources. This can be seen in the screenshot in Figure 9.

The resource object has stored hexadecimal numbers as strings. A simple obfuscation was used while storing, which was to replace ‘0’ (zero) with ‘ZZ’ and replace ‘F’ with ‘YY.’ When the object string was being loaded, this string replacement was reversed to get the original hexadecimal string. This string was then converted to bytes and loaded as assembly code using the ‘Assembly.Load’ method. The resource object contents can be seen in Figure 10.

When this string was de-obfuscated and extracted, it was found to be a 32-bit .NET PE DLL file like the previous sample. This stage 2 payload had the internal name of ‘Pendulum.dll.’ When the code inside ‘Pendulum.dll’ is executed, it extracts a stage 3 payload named ‘cruiser.dll.’ This is the same file name as the stage 3 payload DLL of the previous sample and uses the same loading process.

This cruiser.dll extracts the stage 4 payload from the bitmap object ‘JqZn,’ a resource in the primary executable ‘lxOQ.exe.’ This and the previous sample executable files present similarly obfuscated image objects. These bitmap objects are visually similar between samples, as shown in Figure 11, where this and the last sample are compared.

The payload extracted from the bitmap object was found to be another 32-bit .NET PE DLL file. This DLL file has the internal name of ‘Discompard.dll’. The code from this payload was also loaded reflectively, as in previous stage payloads. Multiple antivirus engines recognized this final payload (Discompard.dll) as the ‘Zusy Banking Trojan’ or ‘Leonem’. This ‘Zusy Trojan’ is also known as ‘TinyBanker’ or ‘Tinba’ by some researchers.

Earlier samples containing TicTacToe strings

We performed an analysis of another separate TicTacToe dropper sample, which drops AgentTesla malware. This executable (SHA1: af14b44a1bdbf96b8fec28236f152d410c91e807) was also a 32-bit .NET executable and also employs an identical technique to load code stored in the resource element of the file. This can be seen in Figure 12.

When the resource object was checked, it was very similar to the resource object in the previous sample. It had stored hexadecimal numbers as strings, and the code used to obfuscate it was also similar, replacing ‘0’ (zero) with ‘ZZ’ and substituting ‘F’ with ‘YY.’ This is shown in Figure 13.

The stage 2 payload has the internal name ‘Pendulum.dll,’ and the stage 3 payload has the name ‘cruiser.dll.’ On execution, the stage 3 payload extracts the stage 4 payload from the bitmap object ‘faLa.’ Again, the visual aspects of this embedded bitmap object match those discussed in the previous two samples. This can be seen in Figure 14.

The final payload in this sample was detected as AgentTesla, a well-known RAT.

Third-party research that includes TicTacToe dropper

In our search for any reporting on this dropper, we identified a malware analysis report from Jai Minton. The second malware sample we analyzed had the same names as the payload DLL files, also as mentioned in Jai Minton’s blog. The only slight change was that the stage 2 payload was ‘Pend.dll’ in his analyzed sample, and in the second sample analyzed above, it was ‘Pendulum.dll.’ Names of other intermediate payloads (Cruiser.dll and Discompard.dll) match the payloads analyzed in Jai’s blog. In addition to these naming similarities, the dropper behavior exhibited by the sample outlined in Jai’s analysis is identical and results in the loading and execution of a Remcos executable.

Commonalities

We analyzed multiple common characteristics in the different TicTacToe dropper samples. Here are some common characteristics:

1. Multi-stage layered payloads.
2. Dropper payloads all .NET executables/libraries.
3. One or more payloads obfuscated using SmartAssembly software.
4. Nesting of DLL files used to unpack obfuscated payloads.
5. All payload stages, including the final payload, were loaded reflectively.
6. Most primary .NET payloads had internal names with a combination of 3 to 8 letters in varying cases.
7. Many samples had common strings for the month they were delivered (e.g., Kolko_i_krzyzyk, MatrixEqualityTestDetail, Kakurasu, etc.)
8. Some of the samples try to create a copy of itself.

Conclusion

This dropper delivers multiple types of final payloads. As a result, we do not believe a single threat actor group uses this dropper. Instead, it is used as a tool that may be sold as a service to threat actors. We discovered that samples distributed at the beginning of 2023 contained the strings TicTacToe (Kolko_i_krzyzyk). Later campaigns had different unique strings common across the same campaigns but distributed different final-stage payloads. Some of the strings include: ‘MatrixEqualityTestDetail,’ ‘QuanLyCafe,’ ‘Pizza_Project,’ ‘Kakurasu,’ ‘BanHang_1’, ‘ChiuMartSAIS,’ etc. This indicates that the dropper tool is in constant development, and developers are trying to evade the string-based analysis of their malware dropper. By understanding the operation of this dropper and implementing solutions that can prevent its execution, organizations will be able to prevent the execution of a variety of final-stage payloads before they can be loaded.

Detection and Mitigation Strategies

Since each iteration of the dropper contains a different final payload, each would have a different hash. As a result, while hash-based detections are still effective at mitigating known campaigns that employ this loader, a behavior-based endpoint security tool is required to detect new campaigns due to the dynamic nature of this malware.

Multistage payload extraction and in-memory execution behaviors exhibited by this dropper are anomalous compared to normal application execution, and this type of behavior should be detected and blocked by EDR technology such as FortiEDR. The behavior discussed in this article outlines the behavior of the dropper component of analyzed samples rather than the final payload.

Additional samples related to previous known campaigns involving this dropper can be found in VirusTotal by searching for ‘fortinet:MSIL/Kryptik.AIJY!tr OR fortinet:MSIL/GenKryptik.GLXZ!tr OR fortinet:MSIL/GenKryptik.GCRZ!tr’ or by browsing the public collection here: https://www.virustotal.com/gui/collection/a5a5b60edcbbb203cb1965b1d544b74c47284e015ffd50312de0a251141bfbd7/iocs.

Fortinet Protections

As highlighted above, the loader described in this report is used to deploy a variety of final payloads. Each of these final payloads is typically tracked by FortiGuard Antivirus separately, but all instances of this loader can be tracked through the following trackers:

MSIL/Kryptik.AIJY!tr
MSIL/GenKryptik.GLXZ!tr
MSIL/GenKryptik.GCRZ!tr

FortiEDR blocks the reflective loading behavior of this loader, preventing it from loading its final-stage payload. FortiEDR is also able to extract in-memory loaded artifacts to assist with triaging an infection by this dropper.

We also suggest that organizations go through Fortinet’s free Fortinet Certified Fundamentals (FCF) in cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs