Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Evasive ‘DarkTortilla’ Crypter Delivers RATs, Targeted Malware

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Likely active since 2015, DarkTortilla was designed to keep malicious payloads hidden from detection software, and was previously seen delivering remote access trojans (RATs) and information stealers – AgentTesla, AsyncRat, NanoCore, and RedLine – as well as targeted payloads such as Cobalt Strike and Metasploit.

Highly configurable and complex, the crypter can also be used for the delivery of addons – additional payloads, decoy documents, and executables – and appears to be very popular among threat actors, with an average of 93 samples submitted to VirusTotal each week between January 2021 and May 2022.

During their analysis of the threat, Secureworks’ researchers have identified code similarities with a crypter that the RATs Crew threat group used between 2008 and 2011, and similarities with the Gameloader malware seen in 2021.

DarkTortilla, which packs robust anti-analysis and anti-tamper controls, is typically delivered via malicious spam, with the observed emails carrying .dmg, .iso, .img, .tar, or .zip attachments.

The spam emails have been customized to match the target’s language, and the researchers have identified samples in English, German, Italian, Bulgarian, Romanian, and Spanish.

Malicious documents delivering DarkTortilla embed the malware’s initial loader as a Packager Shell Object and ask the intended victim to double click it, or feature embedded macros designed to automate the execution of the Packager Shell Object.

The initial loader is a .NET-based executable that is complemented by a .NET-based DLL representing DarkTortilla’s core processor. While the code processor is typically embedded within the loader’s resources, the researchers have seen it being retrieved from public sites such as Pastebin, Textbin, and Paste.

“The initial loader decodes, loads, and executes the core processor. When executed, the core processor extracts, decrypts, and parses its configuration. The encrypted configuration is stored within the .NET resources of the initial loader as bitmap images,” Secureworks explains.

DarkTortilla’s core processor can be configured to display a fake message box, perform anti-VM and anti-sandbox checks, achieve persistence, migrate execution to the ‘temp’ folder, process addon packages, and migrate execution to its install directory.

Next, it injects its payload within the context of the configured subprocess, and can also implement anti-tamper controls, if configured to prevent interference with DarkTortilla’s or the payload’s execution.

Although often overlooked by security researchers, DarkTortilla should be considered a formidable threat, due to its evasion capabilities, configurability, and its use with a wide range of popular and effective malware, Secureworks concludes.

Related: Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

Related: PLC and HMI Password Cracking Tools Deliver Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...