TicTacToe Dropper
2024-2-15 00:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:8 收藏

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows Users
Impact: This loader has been used to load multiple RATs and info stealers, which can lead to compromised credentials and enable further malicious activities
Severity Level: Medium

Executive Summary

While analyzing malware samples collected from several victims, the FortiGuard team identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023. Malware droppers are malicious software designed to deliver and execute additional malware on a victim system and are employed to obfuscate final payloads during load and initial execution.

Droppers within this group employ multiple stages of obfuscated payloads loading reflectively in memory. Some of the final stage payloads we identified include Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. We have named this group of payloads ‘TicTacToe dropper’ due to a common Polish language string, ‘Kolko_i_krzyzyk,’ found in multiple earlier samples of the dropper, which translates to TicTacToe in English. While not all versions of this group of droppers contain this string, commonalities in their behavior led us to this grouping.

TicTacToe Dropper Analysis

We analyzed multiple samples of this dropper. The executable malware file was usually delivered through an .iso file. From cases directly observed in the wild, these iso files were delivered to the victim via phishing as an attachment (T1566.001). This technique of packing malware inside an iso file is typically employed to avoid detection by antivirus software and as a mark-of-the-web (MOTW) bypass technique (T1553.005). The executable inside the iso had multiple layers of DLL files, which were extracted at runtime and loaded directly into memory. One layer of DLL was decoded at runtime, and the next layer of DLL was loaded and decoded by the previous layer of the DLL file. We will discuss the extraction of these obfuscated payloads in a later section. The extraction process is convoluted, so the diagram below should be referenced alongside the analysis to better understand the behavior of the dropper.

Figure 1. TicTacToe dropper extraction process

We found that the same dropper has been used to distribute multiple final-stage remote access tools (RATs) for at least the last 12 months. This is shown in the following timeline diagram:

Figure 2. TicTacToe’s final payload timeline for 2023

To better understand the TicTacToe dropper, we performed static and dynamic analysis on several samples.

Obfuscated payload extraction

The first TicTacToe dropper sample analyzed is a 32-bit executable developed in the .NET programming language called ‘ALco.exe’ (SHA-1 b6914b8fa3d0b67eb6173123652b7f0682cd24fb). Analysis of the sample identified that, on execution, the dropper extracts and loads a .NET PE DLL file directly into its current process using a runtime assembly object. This means the file is loaded directly into memory without being written to disk. The code associated with this in-memory loading can be seen in Figure 3.

Figure 3. Extracting the PE DLL file from the dropper EXE in the tool dnSpy.

We then extracted the DLL at runtime and saved it as a separate file. This extracted DLL file was named ‘Hadval.dll’ in the OriginalFileName field in the file's version information. In this article, we will call this file ‘Hadval.dll’ or ‘stage2 payload’ for reference. This Hadval.dll file is a 32-bit .NET PE DLL file.

This DLL file was obfuscated with version 4.1 of the DeepSea software, which differs from what was used to obfuscate the main executable (as yet undetermined). The DeepSea obfuscation resulted in unreadable function names and clear indicators of code flow obfuscation, as shown in Figure 2.

Figure 4. Obfuscated code of Hadval.dll shown in the dnSpy tool.

The de4dot tool was used to subvert some of the DeepSea obfuscation. The de4dot tool is an open source (GPLv3) .NET de-obfuscator and unpacker written in C# that can often be used to restore a packed and obfuscated assembly to almost the original assembly. The de4dot tool detected that the file was obfuscated using the tool DeepSea 4.1 and then de-obfuscated much of the library to provide a cleaner version of the Hadval.dll file. We can see the output of the de4dot tool execution in Figure 5 and some of the cleaner, more readable code in Figure 6.

Figure 5. De-obfuscating intermediate payload hadval.dll.

Figure 6. Cleaned code of Hadval.dll open in the dnSpy tool.

Performing further debugging of the ‘ALco.exe’ process, we identified that the Hadval.dll code is used to extract a gzip blob. Decompressed, this gzip blob revealed another 32-bit PE DLL file and another .NET library. This stage 3 payload has the internal file name ‘cruiser.dll.’ This cruiser.dll was protected by software called SmartAssembly, which is software provided by Redgate to protect .NET code from reverse engineering. This software claims to protect the source code of .NET applications through obfuscation and encryption and is designed to prevent intellectual property theft through code analysis. The tool ‘Detect It Easy’ shows this information, as seen in Figure 7.

Figure 7. The stage 3 protected payload of cruiser.dll.

Multiple layered payload

This cruiser.dll file was de-obfuscated using the de4dot tool to create a cleaned version of the binary DLL file. Following this de-obfuscation, we can see that the cruiser.dll file has a class named ‘Munoz.’ This class contains a function that creates a copy of the executable in the temp folder. This payload matches the description of a payload with the same name, ‘cruiser.dll,’ as described in Jai Minton's blog, where he analyzed it. We can see the code from the cleaned cruiser.dll file in Figure 8, including the ‘Munoz’ class.

Figure 8. Decrypted code of the stage 3 payload - cruiser.dll.

The code from the stage 3 DLL file (cruiser.dll) extracts, reflectively loads, and executes the stage 4 payload from the bitmap object ‘dZAu’ (a resource from the main payload). The stage 4 payload is another .NET PE DLL file with the internal name 'Farinell2.dll.’ It is obfuscated with a custom obfuscator. This stage 4 payload (Farinell2.dll) then de-obfuscates, reflectively loads, and executes the final payload. We have seen multiple variants of this dropper with different types of final payloads (e.g., Lokibot to gain credentials from numerous browsers and software in the victim machine, Remcos for remote access, etc.)

Analysis of a different TicTacToe sample

Analyzing another TicTacToe dropper allows us to document some common characteristics within the malware group. This executable (SHA1: 15b3c9768a67ce0d09807627f1939c7165a3fede) was also a 32-bit .NET executable with the internal name ‘IxOQ.exe.’ This executable was not obfuscated but shares similarities with the above variant, i.e., later-stage obfuscated payloads embedded as object resources. This can be seen in the screenshot in Figure 9.

Figure 9. A different TicTacToe sample showing the loading of code from a resource object.

The resource object has stored hexadecimal numbers as strings. A simple obfuscation was used while storing, which was to replace ‘0’ (zero) with ‘ZZ’ and replace ‘F’ with ‘YY.’ When the object string was being loaded, this string replacement was reversed to get the original hexadecimal string. This string was then converted to bytes and loaded as assembly code using the ‘Assembly.Load’ method. The resource object contents can be seen in Figure 10.

Figure 10. Obfuscated code stored in the resource object of the .NET executable.

When this string was de-obfuscated and extracted, it was found to be a 32-bit .NET PE DLL file like the previous sample. This stage 2 payload had the internal name of ‘Pendulum.dll.’ When the code inside ‘Pendulum.dll’ is executed, it extracts a stage 3 payload named ‘cruiser.dll.’ This is the same file name as the stage 3 payload DLL of the previous sample and uses the same loading process.

This cruiser.dll extracts the stage 4 payload from the bitmap object ‘JqZn,’ a resource in the primary executable ‘lxOQ.exe.’ This and the previous sample executable files present similarly obfuscated image objects. These bitmap objects are visually similar between samples, as shown in Figure 11, where this and the last sample are compared.

Figure 11. Similarity between the obfuscated image objects in two different samples.

The payload extracted from the bitmap object was found to be another 32-bit .NET PE DLL file. This DLL file has the internal name of ‘Discompard.dll’. The code from this payload was also loaded reflectively, as in previous stage payloads. Multiple antivirus engines recognized this final payload (Discompard.dll) as the ‘Zusy Banking Trojan’ or ‘Leonem’. This ‘Zusy Trojan’ is also known as ‘TinyBanker’ or ‘Tinba’ by some researchers.

Earlier samples containing TicTacToe strings

We performed an analysis of another separate TicTacToe dropper sample, which drops AgentTesla malware. This executable (SHA1: af14b44a1bdbf96b8fec28236f152d410c91e807) was also a 32-bit .NET executable and also employs an identical technique to load code stored in the resource element of the file. This can be seen in Figure 12.

Figure 12. Sample oJXU.exe having obfuscated code extracted from a resource object.

When the resource object was checked, it was very similar to the resource object in the previous sample. It had stored hexadecimal numbers as strings, and the code used to obfuscate it was also similar, replacing ‘0’ (zero) with ‘ZZ’ and substituting ‘F’ with ‘YY.’ This is shown in Figure 13.

Figure 13. resource object containing obfuscated data.

The stage 2 payload has the internal name ‘Pendulum.dll,’ and the stage 3 payload has the name ‘cruiser.dll.’ On execution, the stage 3 payload extracts the stage 4 payload from the bitmap object ‘faLa.’ Again, the visual aspects of this embedded bitmap object match those discussed in the previous two samples. This can be seen in Figure 14.

Figure 14. Image object faLa in the malware sample that contains an obfuscated payload.

The final payload in this sample was detected as AgentTesla, a well-known RAT.

Third-party research that includes TicTacToe dropper

In our search for any reporting on this dropper, we identified a malware analysis report from Jai Minton. The second malware sample we analyzed had the same names as the payload DLL files, also as mentioned in Jai Minton’s blog. The only slight change was that the stage 2 payload was ‘Pend.dll’ in his analyzed sample, and in the second sample analyzed above, it was ‘Pendulum.dll.’ Names of other intermediate payloads (Cruiser.dll and Discompard.dll) match the payloads analyzed in Jai’s blog. In addition to these naming similarities, the dropper behavior exhibited by the sample outlined in Jai’s analysis is identical and results in the loading and execution of a Remcos executable.

Commonalities

We analyzed multiple common characteristics in the different TicTacToe dropper samples. Here are some common characteristics:

  1. Multi-stage layered payloads.
  2. Dropper payloads all .NET executables/libraries.
  3. One or more payloads obfuscated using SmartAssembly software.
  4. Nesting of DLL files used to unpack obfuscated payloads.
  5. All payload stages, including the final payload, were loaded reflectively.
  6. Most primary .NET payloads had internal names with a combination of 3 to 8 letters in varying cases.
  7. Many samples had common strings for the month they were delivered (e.g., Kolko_i_krzyzyk, MatrixEqualityTestDetail, Kakurasu, etc.)
  8. Some of the samples try to create a copy of itself.

Conclusion

This dropper delivers multiple types of final payloads. As a result, we do not believe a single threat actor group uses this dropper. Instead, it is used as a tool that may be sold as a service to threat actors. We discovered that samples distributed at the beginning of 2023 contained the strings TicTacToe (Kolko_i_krzyzyk). Later campaigns had different unique strings common across the same campaigns but distributed different final-stage payloads. Some of the strings include: ‘MatrixEqualityTestDetail,’ ‘QuanLyCafe,’ ‘Pizza_Project,’ ‘Kakurasu,’ ‘BanHang_1’, ‘ChiuMartSAIS,’ etc. This indicates that the dropper tool is in constant development, and developers are trying to evade the string-based analysis of their malware dropper. By understanding the operation of this dropper and implementing solutions that can prevent its execution, organizations will be able to prevent the execution of a variety of final-stage payloads before they can be loaded.

Detection and Mitigation Strategies

Since each iteration of the dropper contains a different final payload, each would have a different hash. As a result, while hash-based detections are still effective at mitigating known campaigns that employ this loader, a behavior-based endpoint security tool is required to detect new campaigns due to the dynamic nature of this malware.

Multistage payload extraction and in-memory execution behaviors exhibited by this dropper are anomalous compared to normal application execution, and this type of behavior should be detected and blocked by EDR technology such as FortiEDR. The behavior discussed in this article outlines the behavior of the dropper component of analyzed samples rather than the final payload.

Additional samples related to previous known campaigns involving this dropper can be found in VirusTotal by searching for ‘fortinet:MSIL/Kryptik.AIJY!tr OR fortinet:MSIL/GenKryptik.GLXZ!tr OR fortinet:MSIL/GenKryptik.GCRZ!tr’ or by browsing the public collection here: https://www.virustotal.com/gui/collection/a5a5b60edcbbb203cb1965b1d544b74c47284e015ffd50312de0a251141bfbd7/iocs.

Fortinet Protections

As highlighted above, the loader described in this report is used to deploy a variety of final payloads. Each of these final payloads is typically tracked by FortiGuard Antivirus separately, but all instances of this loader can be tracked through the following trackers:

MSIL/Kryptik.AIJY!tr
MSIL/GenKryptik.GLXZ!tr
MSIL/GenKryptik.GCRZ!tr

FortiEDR blocks the reflective loading behavior of this loader, preventing it from loading its final-stage payload. FortiEDR is also able to extract in-memory loaded artifacts to assist with triaging an infection by this dropper.

We also suggest that organizations go through Fortinet’s free Fortinet Certified Fundamentals (FCF) in cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Indicator Description

Indicator

Indicator Type

Notes

First Observed

Malicious Executable


b6914b8fa3d0b67eb6173123652b7f0682cd24fb

SHA1 Hash

Dropper executable variant with final payload Lokibot

2023-04-06

Malicious Executable

90624ba95243c7ec20730a101cad6966e75df675

SHA1 Hash

Dropper executable variant final payload Warzone RAT

2023-04-12

Malicious Executable

4a5b3465ef2298392b60ec78da233287185eb7dd

SHA1 Hash

Dropper executable variant with final payload Trojan Mamut

2023-04-12

Malicious Executable

15b3c9768a67ce0d09807627f1939c7165a3fede

SHA1 Hash

Dropper executable variant with final payload Taskun malware

2023-04-12

Malicious Executable

af14b44a1bdbf96b8fec28236f152d410c91e807

SHA1 Hash

Dropper executable variant with final payload AgentTesla malware

2023-04-12

Malicious Executable


69dfa8c16879ab1c6c3bb738619dabe9660f2376cb15051ce55e465680e4f67f

SHA256 Hash

Dropper executable variant with final payload Lokibot

2023-04-06

Malicious Executable

3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36

SHA256 Hash

Dropper executable variant final payload Warzone RAT

2023-04-12

Malicious Executable

8fe52481cdabec8900f78cab1d673dbb1bde3366d9347a89c2ea8e2e74ab01b4

SHA256 Hash

Dropper executable variant with final payload Trojan Mamut

2023-04-12

Malicious Executable

0239bc35516d6d3680c64f7a5a5a40801c7b0ea4db8a80718e4774687c565af3

SHA256 Hash

Dropper executable variant with final payload Taskun malware

2023-04-12

Malicious Executable

349fada4859b8ffa4c690af723daa16669d6fa2b9f5ec51111adee2e8cb63748

SHA256 Hash

Dropper executable variant with final payload AgentTesla malware

2023-04-12

C2 URL

http[:]//64.227.48[.]212/project/five/fre.php

URL

C2 contacted by final payload

2023-11-27

C2 URL

http[:]//171.22.30[.]147/tony/five/fre.php

URL

C2 contacted by final payload

2023-04-13


文章来源: https://feeds.fortinet.com/~/869921006/0/fortinet/blog/threat-research~TicTacToe-Dropper
如有侵权请联系:admin#unsafe.sh