New TicTacToe Malware Dropper Attacking Windows Users

Malware often targets Windows users due to the operating system’s widespread popularity, making it a lucrative target for threat actors. 

Windows systems have historically been perceived as more vulnerable due to their larger user base and most security vulnerabilities.

The FortiGuard team recently discovered a cluster of malware droppers delivering various final-stage payloads in 2023. 

In a report shared with Cyber Security News (CSN), Fortinet affirmed these droppers use multiple stages of obfuscated payloads, with some identified payloads including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. 

Named ‘TicTacToe dropper,’ the group is identified by a standard Polish language string, ‘Kolko_i_krzyzyk,’ interpreting TicTacToe.


Live Account Takeover Attack Simulation

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

Technical analysis

Security analysts found dropper samples delivering malware via .iso files in phishing attachments (T1566.001). This technique helps hide malware in iso files that aim to evade antivirus detection and use mark-of-the-web bypass (T1553.005). 

The ISO contained an executable that had layered DLL files that were decoded at runtime, and besides this, the extraction process is complicated.

TicTacToe dropper extraction process (Source - Fortinet)
TicTacToe dropper extraction process (Source – Fortinet)

The dropper consistently shared various remote access tools (RATs) for over a year. The initial sample, ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb), is a 32-bit .NET executable. Upon execution, it loads a .NET PE DLL file directly into memory without disk writing.

Extracting the PE DLL file from the dropper EXE in the tool dnSpy (Source - Fortinet)
Extracting the PE DLL file from the dropper EXE in the tool dnSpy (Source – Fortinet)

The experts extracted the DLL at runtime by naming it ‘Hadval.dll’ or ‘stage2 payload.’ This 32-bit .NET PE DLL is obfuscated with DeepSea 4.1 and has unreadable function names and code flow obfuscation distinct from the primary executable’s obfuscation (undetermined version).

Obfuscated code of Hadval.dll shown in the dnSpy tool (Source - Fortinet)
Obfuscated code of Hadval.dll shown in the dnSpy tool (Source – Fortinet)

An open-source .NET de-obfuscator, De4dot successfully subverted DeepSea 4.1 obfuscation in Hadval.dll. The tool detected and de-obfuscated the file by providing a cleaner version using C#.

De-obfuscating intermediate payload hadval.dll (Source - Fortinet)
De-obfuscating intermediate payload hadval.dll (Source – Fortinet)

While debugging ‘ALco.exe,’ security analysts found that Hadval.dll extracts a gzip blob by revealing a 32-bit PE DLL (‘cruiser.dll’) protected by SmartAssembly. 

SmartAssembly safeguards .NET code from reverse engineering using obfuscation and encryption that prevent intellectual property theft. However, this info is visible using the ‘Detect It Easy’ tool.

Detect Easy (Source - Fortinet)
Detect Easy (Source – Fortinet)

De4dot cleaned the cruiser.dll file by revealing a ‘Munoz’ class that creates a copy of the executable in the temp folder, and this payload aligns with the one analyzed by Jai Minton.

The cruiser.dll code extracts and executes the stage 4 payload (‘Farinell2.dll’) from the bitmap object ‘dZAu.’

Antivirus engines recognized the final payload as ‘Zusy Banking Trojan’ or ‘Leonem,’ also known as ‘TinyBanker’ or ‘Tinba’ by some researchers.


Here below, we have mentioned all the similarities in the different TicTacToe dropper samples:-

  • Multi-stage layered payloads.
  • Dropper payloads all .NET executables/libraries.
  • One or more payloads obfuscated using SmartAssembly software.
  • Nesting of DLL files used to unpack obfuscated payloads.
  • All payload stages were loaded reflectively.
  • Most primary .NET payloads had internal names with a combination of 3 to 8 letters in varying cases.
  • Many samples had standard strings for the month they were delivered.
  • Some of the samples try to create a copy of itself.

Since the dropper serves various payloads, it’s obvious to have a diverse user base. However, it’s essential to understand and prevent its execution to stop various types of payloads.

Leave a Reply

Your email address will not be published. Required fields are marked *