“TicTacToe Dropper” Malware Distribution Tactics Revealed

Written by

A recent study conducted by the FortiGuard team has shed light on a sophisticated malware distribution strategy observed throughout 2023. 

In a technical write-up published on Wednesday, the team identified a series of malware droppers dubbed the “TicTacToe dropper,” which were utilized to deliver various malicious payloads to victims. 

These droppers, designed to obscure the final-stage payloads during initial execution, employed multiple layers of obfuscated payloads loaded reflectively in memory.

The analysis revealed a plethora of final-stage payloads delivered by these droppers, including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre and Remcos. The grouping was named after a common Polish language string, “Kolko_i_krzyzyk,” which was found in earlier samples and translates to TicTacToe.

Read more on AgentTesla: Governments Targeted by Discord-Based Threat Campaign

The droppers were typically distributed through phishing emails containing .iso file attachments, a technique aimed at evading antivirus detection. Once executed, the dropper extracted and loaded multiple layers of DLL files into memory, making analysis and detection challenging. Despite variations in payload delivery, common behaviors allowed for the grouping of these droppers.

Static and dynamic analysis revealed intricate obfuscation techniques employed in the extraction and loading processes of the dropper payloads. Techniques such as runtime assembly loading and DeepSea obfuscation were utilized to cloak the malicious intent of the payloads.

Further analysis unveiled a consistent pattern of multi-stage layered payloads, all .NET executables/libraries, with reflective loading of each payload stage, including the final payload. Additionally, the dropper showed signs of continuous development, with unique strings employed in later campaigns to evade detection.

The Fortinet study suggests that the TicTacToe dropper serves as a versatile tool, likely sold as a service to threat actors rather than being exclusive to a single group. 

“By understanding the operation of this dropper and implementing solutions that can prevent its execution, organizations will be able to prevent the execution of a variety of final-stage payloads before they can be loaded,” reads the advisory.

What’s hot on Infosecurity Magazine?