The TicTacToe Dropper, also known as “Kolko_i_krzyzyk” (Polish for “TicTacToe”), is a sophisticated malware delivery mechanism that has been actively distributing various malicious payloads throughout 2023 and 2024. This dropper has been observed primarily targeting Windows systems, utilizing advanced evasion techniques and multi-stage payloads to effectively compromise victim machines.
Malware Distribution and Delivery
The TicTacToe Dropper is typically distributed via phishing emails, which often contain .iso file attachments. These .iso files are designed to evade antivirus detection and bypass “mark-of-the-web” security features. Once the .iso file is mounted, it reveals an executable that, when launched, initiates the multi-stage dropper process.
Multi-Stage Payload Execution
The dropper operates through several stages:
- Stage 1: Initial Execution
- The initial executable, often a 32-bit .NET file, launches and extracts the first layer of the payload. This typically involves loading a
.NET PEDLL file directly into memory using a runtime assembly object, avoiding the need to write the payload to disk, which helps in evading detection.
- The initial executable, often a 32-bit .NET file, launches and extracts the first layer of the payload. This typically involves loading a
- Stage 2: DLL Layer Execution
- The extracted DLL, often obfuscated using tools like DeepSea, further decompresses a hidden payload, usually another DLL or a compressed blob, which is then loaded into memory. The obfuscation at this stage uses techniques like unreadable function names and jumbled code flows to resist reverse engineering.
- Stage 3: Reflective Loading
- The next DLL layer (e.g.,
cruiser.dll) handles more complex tasks like extracting payloads from seemingly innocuous objects like bitmap images embedded in the executable. This stage often includes payloads protected by tools like SmartAssembly, which further obfuscates the code and resists debugging.
- The next DLL layer (e.g.,
- Stage 4: Final Payload Deployment
- The final stage involves executing the ultimate malicious payload. This could be a Remote Access Trojan (RAT) like AgentTesla or LokiBot, which can steal data, log keystrokes, or provide remote control of the compromised system.
Payload Obfuscation and Evasion Techniques
TicTacToe Dropper employs various evasion techniques to avoid detection:
- Layered DLL Execution: By nesting multiple DLL files and loading them reflectively, the dropper ensures that each layer is only decoded at runtime, making it harder for static analysis tools to detect the full scope of the malware.
- Use of Unique Strings: Campaigns involving this dropper often change strings within the payloads (e.g., “MatrixEqualityTestDetail”, “Pizza_Project”) to avoid signature-based detection.
- Behavioral Evasion: The dropper’s ability to operate entirely in memory without leaving a significant footprint on the disk makes it particularly elusive to traditional antivirus software. This necessitates the use of behavior-based detection tools like Endpoint Detection and Response (EDR) systems.
Associated Threats
The TicTacToe Dropper has been linked to several notorious malware families, including:
- AgentTesla: A RAT known for its keylogging and credential-stealing capabilities.
- LokiBot: An infostealer that can harvest credentials and other sensitive data.
- Remcos: Another RAT that provides extensive control over infected systems.
Untill now…
The TicTacToe Dropper exemplifies the evolving sophistication of modern malware. Its multi-stage, heavily obfuscated payload delivery system and ability to adapt to different campaigns make it a significant threat in the cybersecurity landscape. Organizations must employ advanced detection mechanisms, including behavior-based analysis and endpoint monitoring, to effectively defend against such threats.
This dropper’s continuous development and frequent updates suggest that it will remain a potent tool for cybercriminals, requiring constant vigilance and adaptation from cybersecurity professionals.
For more detailed technical analysis and indicators of compromise (IOCs), you can refer to the reports from security research firms such as FortiGuard and others in the cybersecurity community.
