Keypoints
- Delivery via ISO attachments in phishing campaigns (T1566.001), using ISO packing as a mark-of-the-web bypass (T1553.005).
- Primary samples are 32-bit .NET executables that extract multiple nested .NET DLLs and load them reflectively into memory without writing to disk.
- Obfuscation layers include DeepSea 4.1, SmartAssembly, and simple custom string/hex substitutions; de4dot was effective at partially de-obfuscating several stages.
- Typical multi-stage chain: dropper EXE β stage2 (.NET DLL, e.g., Hadval.dll/Pendulum.dll) β stage3 (cruiser.dll) β stage4 (e.g., Farinell2.dll/Discompard.dll) β final payload (Leonem, AgentTesla, LokiBot, Remcos, etc.).
- Final payloads vary across campaigns, indicating the dropper is a reusable tool likely sold or shared among different actors rather than a single group.
- Detection/mitigation should prioritize behavior-based EDR that spots multi-stage in-memory extraction and reflective loading; FortiEDR can block the reflective loading behavior and extract in-memory artifacts for triage.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β used to deliver ISO attachments to victims. Quote: (βdelivered to the victim via phishing as an attachment (T1566.001)β)
- [T1553.005] Mark-of-the-Web Bypass β ISO packing employed to avoid detection and bypass MOTW. Quote: (βpacking malware inside an iso file is typically employed to avoid detection by antivirus software and as a mark-of-the-web (MOTW) bypass technique (T1553.005)β)
Indicators of Compromise
- [SHA1 Hash] Dropper samples β b6914b8fa3d0b67eb6173123652b7f0682cd24fb (Lokibot variant), af14b44a1bdbf96b8fec28236f152d410c91e807 (AgentTesla variant)
- [SHA256 Hash] Dropper samples β 69dfa8c16879ab1c6c3bb738619dabe9660f2376cb15051ce55e465680e4f67f (Lokibot), 349fada4859b8ffa4c690af723daa16669d6fa2b9f5ec51111adee2e8cb63748 (AgentTesla)
- [C2 URL] Final payload callbacks β http[:]//64.227.48[.]212/project/five/fre.php, http[:]//171.22.30[.]147/tony/five/fre.php
- [File/Resource Names] Internal filenames and resources used in-chain β ALco.exe, Hadval.dll, cruiser.dll, Farinell2.dll, Discompard.dll (and other stage DLL names)
The TicTacToe dropper is deployed as a 32-bit .NET executable inside ISO attachments. On execution, the primary EXE extracts an embedded .NET PE DLL (stage2) into memory and loads it via runtime assembly objects (Assembly.Load), avoiding disk writes. Stage2 binaries (e.g., Hadval.dll or Pendulum.dll) are heavily obfuscated (DeepSea 4.1) and often contain a compressed gzip blob that, when decompressed, yields a stage3 DLL (commonly cruiser.dll) protected by SmartAssembly; tools like de4dot were used to partially de-obfuscate these intermediate libraries for analysis.
The stage3 DLL reads embedded resources (often hex strings or bitmap objects with names like dZAu, JqZn, faLa) that contain further payloads; simple obfuscation quirks observed include β0βββZZβ and βFβββYYβ substitutions for hex strings. These resources decode to additional .NET DLLs (stage4 such as Farinell2.dll or Discompard.dll) which themselves de-obfuscate, reflectively load, and execute the final payload in memory. Final-stage binaries observed include credential stealers and RATs (Leonem/TinyBanker, AgentTesla, LokiBot, Remcos, Taskun, etc.), and some samples attempt to copy themselves to temporary folders as part of persistence or staging.
Because every deployment unpacks different final payloads, detection by static hashes is limited; effective mitigation focuses on behavior-based detection of multi-stage, nested extraction and reflective in-memory loading. Endpoint protections that block reflective loading and extract in-memory artifacts (e.g., FortiEDR) can prevent final payload execution and assist incident triage.
Read more: https://feeds.fortinet.com/~/869921006/0/fortinet/blog/threat-research~TicTacToe-Dropper