Connect with us

Hi, what are you looking for?


Malware & Threats

Evasive ‘DarkTortilla’ Crypter Delivers RATs, Targeted Malware

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Likely active since 2015, DarkTortilla was designed to keep malicious payloads hidden from detection software, and was previously seen delivering remote access trojans (RATs) and information stealers – AgentTesla, AsyncRat, NanoCore, and RedLine – as well as targeted payloads such as Cobalt Strike and Metasploit.

Highly configurable and complex, the crypter can also be used for the delivery of addons – additional payloads, decoy documents, and executables – and appears to be very popular among threat actors, with an average of 93 samples submitted to VirusTotal each week between January 2021 and May 2022.

During their analysis of the threat, Secureworks’ researchers have identified code similarities with a crypter that the RATs Crew threat group used between 2008 and 2011, and similarities with the Gameloader malware seen in 2021.

DarkTortilla, which packs robust anti-analysis and anti-tamper controls, is typically delivered via malicious spam, with the observed emails carrying .dmg, .iso, .img, .tar, or .zip attachments.

The spam emails have been customized to match the target’s language, and the researchers have identified samples in English, German, Italian, Bulgarian, Romanian, and Spanish.

Malicious documents delivering DarkTortilla embed the malware’s initial loader as a Packager Shell Object and ask the intended victim to double click it, or feature embedded macros designed to automate the execution of the Packager Shell Object.

The initial loader is a .NET-based executable that is complemented by a .NET-based DLL representing DarkTortilla’s core processor. While the code processor is typically embedded within the loader’s resources, the researchers have seen it being retrieved from public sites such as Pastebin, Textbin, and Paste.

Advertisement. Scroll to continue reading.

“The initial loader decodes, loads, and executes the core processor. When executed, the core processor extracts, decrypts, and parses its configuration. The encrypted configuration is stored within the .NET resources of the initial loader as bitmap images,” Secureworks explains.

DarkTortilla’s core processor can be configured to display a fake message box, perform anti-VM and anti-sandbox checks, achieve persistence, migrate execution to the ‘temp’ folder, process addon packages, and migrate execution to its install directory.

Next, it injects its payload within the context of the configured subprocess, and can also implement anti-tamper controls, if configured to prevent interference with DarkTortilla’s or the payload’s execution.

Although often overlooked by security researchers, DarkTortilla should be considered a formidable threat, due to its evasion capabilities, configurability, and its use with a wide range of popular and effective malware, Secureworks concludes.

Related: Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

Related: PLC and HMI Password Cracking Tools Deliver Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights