Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Evasive ‘DarkTortilla’ Crypter Delivers RATs, Targeted Malware

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Likely active since 2015, DarkTortilla was designed to keep malicious payloads hidden from detection software, and was previously seen delivering remote access trojans (RATs) and information stealers – AgentTesla, AsyncRat, NanoCore, and RedLine – as well as targeted payloads such as Cobalt Strike and Metasploit.

Highly configurable and complex, the crypter can also be used for the delivery of addons – additional payloads, decoy documents, and executables – and appears to be very popular among threat actors, with an average of 93 samples submitted to VirusTotal each week between January 2021 and May 2022.

During their analysis of the threat, Secureworks’ researchers have identified code similarities with a crypter that the RATs Crew threat group used between 2008 and 2011, and similarities with the Gameloader malware seen in 2021.

DarkTortilla, which packs robust anti-analysis and anti-tamper controls, is typically delivered via malicious spam, with the observed emails carrying .dmg, .iso, .img, .tar, or .zip attachments.

The spam emails have been customized to match the target’s language, and the researchers have identified samples in English, German, Italian, Bulgarian, Romanian, and Spanish.

Malicious documents delivering DarkTortilla embed the malware’s initial loader as a Packager Shell Object and ask the intended victim to double click it, or feature embedded macros designed to automate the execution of the Packager Shell Object.

Advertisement. Scroll to continue reading.

The initial loader is a .NET-based executable that is complemented by a .NET-based DLL representing DarkTortilla’s core processor. While the code processor is typically embedded within the loader’s resources, the researchers have seen it being retrieved from public sites such as Pastebin, Textbin, and Paste.

“The initial loader decodes, loads, and executes the core processor. When executed, the core processor extracts, decrypts, and parses its configuration. The encrypted configuration is stored within the .NET resources of the initial loader as bitmap images,” Secureworks explains.

DarkTortilla’s core processor can be configured to display a fake message box, perform anti-VM and anti-sandbox checks, achieve persistence, migrate execution to the ‘temp’ folder, process addon packages, and migrate execution to its install directory.

Next, it injects its payload within the context of the configured subprocess, and can also implement anti-tamper controls, if configured to prevent interference with DarkTortilla’s or the payload’s execution.

Although often overlooked by security researchers, DarkTortilla should be considered a formidable threat, due to its evasion capabilities, configurability, and its use with a wide range of popular and effective malware, Secureworks concludes.

Related: Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

Related: PLC and HMI Password Cracking Tools Deliver Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.