Malware droppers are malicious software designed to deliver and execute additional malware on a victim system and are employed to obfuscate final payloads during load and initial execution.
Droppers within this group employ multiple stages of obfuscated payloads loading reflectively in memory. Some of the final stage payloads we identified include Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos.
This group of payloads called ‘TicTacToe dropper’ due to a common Polish language string, ‘Kolko_i_krzyzyk,’ found in multiple earlier samples of the dropper, which translates to TicTacToe in English.
The executable malware file was usually delivered through an .iso file. The executable inside the iso had multiple layers of DLL files, which were extracted at runtime and loaded directly into memory.
One layer of DLL was decoded at runtime, and the next layer of DLL was loaded and decoded by the previous layer of the DLL file. We will discuss the extraction of these obfuscated payloads in a later section.
The first TicTacToe dropper sample analyzed is a 32-bit executable developed in the .NET programming language called ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb). Analysis of the sample identified that, on execution, the dropper extracts and loads a .NET PE DLL file directly into its current process using a runtime assembly object. This means the file is loaded directly into memory without being written to disk.
We then extracted the DLL at runtime and saved it as a separate file. This extracted DLL file was named ‘Hadval.dll’ in the OriginalFileName field in the file’s version information. In this article, we will call this file ‘Hadval.dll’ or ‘stage2 payload’ for reference. This Hadval.dll file is a 32-bit .NET PE DLL file.
This DLL file was obfuscated with version 4.1 of the DeepSea software, which differs from what was used to obfuscate the main executable (as yet undetermined). The DeepSea obfuscation resulted in unreadable function names and clear indicators of code flow obfuscation
Performing further debugging of the ‘ALco.exe’ process, we identified that the Hadval.dll code is used to extract a gzip blob. Decompressed, this gzip blob revealed another 32-bit PE DLL file and another .NET library.
Performing further debugging of the ‘ALco.exe’ process, we identified that the Hadval.dll code is used to extract a gzip blob. Decompressed, this gzip blob revealed another 32-bit PE DLL file and another .NET library. This stage 3 payload has the internal file name ‘cruiser.dll.’
The code from the stage 3 DLL file (cruiser.dll) extracts, reflectively loads, and executes the stage 4 payload from the bitmap object ‘dZAu’ (a resource from the main payload). The stage 4 payload is another .NET PE DLL file with the internal name ‘Farinell2.dll.’ It is obfuscated with a custom obfuscator. This stage 4 payload (Farinell2.dll) then de-obfuscates, reflectively loads, and executes the final payload.
Indicator Description | Indicator | Indicator Type | Notes |
Malicious Executable | b6914b8fa3d0b67eb6173123652b7f0682cd24fb | SHA1 Hash | Dropper executable variant with final payload Lokibot |
Malicious Executable | 90624ba95243c7ec20730a101cad6966e75df675 | SHA1 Hash | Dropper executable variant final payload Warzone RAT |
Malicious Executable | 4a5b3465ef2298392b60ec78da233287185eb7dd | SHA1 Hash | Dropper executable variant with final payload Trojan Mamut |
Malicious Executable
| 15b3c9768a67ce0d09807627f1939c7165a3fede | SHA1 Hash | Dropper executable variant with final payload Taskun malware |
Malicious Executable | af14b44a1bdbf96b8fec28236f152d410c91e807 | SHA1 Hash | Dropper executable variant with final payload AgentTesla malware |
Malicious Executable | 69dfa8c16879ab1c6c3bb738619dabe9660f237 6cb15051ce55e465680e4f67f | SHA256 Hash | Dropper executable variant with final payload Lokibot |
Malicious Executable | 3af5c0843b016faa6129e40b696565d4117b48f d6750164ac4a0f307ef3d6a36 | SHA256 Hash | Dropper executable variant final payload Warzone RAT |
Malicious Executable | 8fe52481cdabec8900f78cab1d673dbb1bde336 6d9347a89c2ea8e2e74ab01b4 | SHA256 Hash | Dropper executable variant with final payload Trojan Mamut |
Malicious Executable | 0239bc35516d6d3680c64f7a5a5a40801c7b0e a4db8a80718e4774687c565af3 | SHA256 Hash | Dropper executable variant with final payload Taskun malware |
Discovery | 349fada4859b8ffa4c690af723daa16669d6fa 2b9f5ec51111adee2e8cb63748 | SHA256 Hash | Dropper executable variant with final payload AgentTesla malware |
C2 URL | http[:]//64.227.48[.]212/project/five/fre.php | URL | C2 contacted by final payload |
C2 URL | http[:]//171.22.30[.]147/tony/five/fre.php | URL | C2 contacted by final payload |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.