TicTacToe Dropper
Fortinet News, Wednesday, February 14th, 2024
While analyzing malware samples collected from several victims, the FortiGuard team identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023. Malware droppers are malicious software designed to deliver and execute additional malware on a victim system and are employed to obfuscate final payloads during load and initial execution.
Droppers within this group employ multiple stages of obfuscated payloads loading reflectively in memory. Some of the final stage payloads we identified include Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. We have named this group of payloads 'TicTacToe dropper' due to a common Polish language string, 'Kolko_i_krzyzyk,' found in multiple earlier samples of the dropper, which translates to TicTacToe in English. While not all versions of this group of droppers contain this string, commonalities in their behavior led us to this grouping.