Threat Research

TicTacToe Malware Dropper

Malware droppers are malicious software designed to deliver and execute additional malware on a victim system and are employed to obfuscate final payloads during load and initial execution.

Droppers within this group employ multiple stages of obfuscated payloads loading reflectively in memory. Some of the final stage payloads we identified include Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos.

This group of payloads called ‘TicTacToe dropper’ due to a common Polish language string, ‘Kolko_i_krzyzyk,’ found in multiple earlier samples of the dropper, which translates to TicTacToe in English.

TicTacToe Dropper Analysis

The executable malware file was usually delivered through an .iso file. The executable inside the iso had multiple layers of DLL files, which were extracted at runtime and loaded directly into memory.

One layer of DLL was decoded at runtime, and the next layer of DLL was loaded and decoded by the previous layer of the DLL file. We will discuss the extraction of these obfuscated payloads in a later section.

TicTacToe Malware

Obfuscated payload extraction

Stage1:

The first TicTacToe dropper sample analyzed is a 32-bit executable developed in the .NET programming language called ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb). Analysis of the sample identified that, on execution, the dropper extracts and loads a .NET PE DLL file directly into its current process using a runtime assembly object. This means the file is loaded directly into memory without being written to disk.

TicTacToe Malware

We then extracted the DLL at runtime and saved it as a separate file. This extracted DLL file was named ‘Hadval.dll’ in the OriginalFileName field in the file’s version information. In this article, we will call this file ‘Hadval.dll’ or ‘stage2 payload’ for reference. This Hadval.dll file is a 32-bit .NET PE DLL file.

Stage 2:

This DLL file was obfuscated with version 4.1 of the DeepSea software, which differs from what was used to obfuscate the main executable (as yet undetermined). The DeepSea obfuscation resulted in unreadable function names and clear indicators of code flow obfuscation

Performing further debugging of the ‘ALco.exe’ process, we identified that the Hadval.dll code is used to extract a gzip blob. Decompressed, this gzip blob revealed another 32-bit PE DLL file and another .NET library.

TicTacToe Malware

Stage 3:

Performing further debugging of the ‘ALco.exe’ process, we identified that the Hadval.dll code is used to extract a gzip blob. Decompressed, this gzip blob revealed another 32-bit PE DLL file and another .NET library. This stage 3 payload has the internal file name ‘cruiser.dll.’

Stage 4:

The code from the stage 3 DLL file (cruiser.dll) extracts, reflectively loads, and executes the stage 4 payload from the bitmap object ‘dZAu’ (a resource from the main payload). The stage 4 payload is another .NET PE DLL file with the internal name ‘Farinell2.dll.’ It is obfuscated with a custom obfuscator. This stage 4 payload (Farinell2.dll) then de-obfuscates, reflectively loads, and executes the final payload.

IOC’s

Indicator Description Indicator Indicator Type Notes
Malicious Executable b6914b8fa3d0b67eb6173123652b7f0682cd24fb SHA1 Hash Dropper executable variant with final payload Lokibot
Malicious Executable 90624ba95243c7ec20730a101cad6966e75df675 SHA1 Hash Dropper executable variant final payload Warzone RAT
Malicious Executable 4a5b3465ef2298392b60ec78da233287185eb7dd SHA1 Hash Dropper executable variant with final payload Trojan Mamut
Malicious Executable

 

15b3c9768a67ce0d09807627f1939c7165a3fede SHA1 Hash Dropper executable variant with final payload Taskun malware
Malicious Executable af14b44a1bdbf96b8fec28236f152d410c91e807 SHA1 Hash Dropper executable variant with final payload AgentTesla malware
Malicious Executable 69dfa8c16879ab1c6c3bb738619dabe9660f237 6cb15051ce55e465680e4f67f SHA256 Hash Dropper executable variant with final payload Lokibot
Malicious Executable 3af5c0843b016faa6129e40b696565d4117b48f d6750164ac4a0f307ef3d6a36 SHA256 Hash Dropper executable variant final payload Warzone RAT
Malicious Executable 8fe52481cdabec8900f78cab1d673dbb1bde336 6d9347a89c2ea8e2e74ab01b4 SHA256 Hash Dropper executable variant with final payload Trojan Mamut
Malicious Executable 0239bc35516d6d3680c64f7a5a5a40801c7b0e a4db8a80718e4774687c565af3 SHA256 Hash Dropper executable variant with final payload Taskun malware
Discovery 349fada4859b8ffa4c690af723daa16669d6fa 2b9f5ec51111adee2e8cb63748 SHA256 Hash Dropper executable variant with final payload AgentTesla malware
C2 URL http[:]//64.227.48[.]212/project/five/fre.php URL C2 contacted by final payload
C2 URL http[:]//171.22.30[.]147/tony/five/fre.php URL C2 contacted by final payload

 

About the Author:Rudra Pratap

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.