Windows systems have been subjected to attacks involving a new group of malware droppers collectively called TicTacToe that enabled the distribution of various final-stage payloads, including AgentTesla, Remcos, LokiBot, and SnakeLogger, during the past year, reports Hackread.
While intrusions during the earlier part of 2023 involved the usage of Polish string translating to TicTacToe, threat actors eventually revised the strings and payloads used in more recent dropper campaigns, according to a report from Fortinet's FortiGuard Labs.
Further examination of a TicTacToe dropper sample showed its use of the open-source .NET deobfuscator de4dot tool, which revealed parts of the Hadval.dll file used for gzip blob extraction before proceeding with the execution of next-stage payloads. Payloads have also been deployed in several stages in the TicTacToe sample spreading AgentTesla.
The findings have prompted researchers to recommend the utilization of hash-based threat detections, as well as the implementation of behavior-based endpoint security tools, such as FortiEDR.
