A latest examine carried out by the FortiGuard workforce has make clear a classy malware distribution technique noticed all through 2023.
In a technical write-up revealed on Wednesday, the workforce recognized a sequence of malware droppers dubbed the “TicTacToe dropper,” which have been utilized to ship numerous malicious payloads to victims.
These droppers, designed to obscure the final-stage payloads throughout preliminary execution, employed a number of layers of obfuscated payloads loaded reflectively in reminiscence.
The evaluation revealed a plethora of final-stage payloads delivered by these droppers, together with Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre and Remcos. The grouping was named after a typical Polish language string, “Kolko_i_krzyzyk,” which was present in earlier samples and interprets to TicTacToe.
Learn extra on AgentTesla: Governments Focused by Discord-Primarily based Risk Marketing campaign
The droppers have been sometimes distributed by way of phishing emails containing .iso file attachments, a way geared toward evading antivirus detection. As soon as executed, the dropper extracted and loaded a number of layers of DLL information into reminiscence, making evaluation and detection difficult. Regardless of variations in payload supply, widespread behaviors allowed for the grouping of those droppers.
Static and dynamic evaluation revealed intricate obfuscation methods employed within the extraction and loading processes of the dropper payloads. Strategies reminiscent of runtime meeting loading and DeepSea obfuscation have been utilized to cloak the malicious intent of the payloads.
Additional evaluation unveiled a constant sample of multi-stage layered payloads, all .NET executables/libraries, with reflective loading of every payload stage, together with the ultimate payload. Moreover, the dropper confirmed indicators of steady improvement, with distinctive strings employed in later campaigns to evade detection.
The Fortinet examine means that the TicTacToe dropper serves as a flexible software, seemingly bought as a service to risk actors relatively than being unique to a single group.
“By understanding the operation of this dropper and implementing options that may forestall its execution, organizations will be capable of forestall the execution of a wide range of final-stage payloads earlier than they are often loaded,” reads the advisory.
