DarkTortilla is a sophisticated and highly configurable crypter malware that delivers popular infostealers and remote access trojans including AgentTesla, AsyncRAT, Redline and NanoCore.
What Is the DarkTortilla Crypter?
A crypter is a type of software that has the capabilities to encrypt, obfuscate, and manipulate malware. These manipulations make it harder for security programs to detect the malware. Crypters are often deployed by malware operators to help them bypass anti-malware and security applications by being presented as harmless programs.
The crypter is written in .NET and has been around at least since August 2015. DarkTortilla has been used in widespread malware campaigns but its latest attacks deliver targeted payloads such as Cobalt Strike and Metasploit. The discovery comes from Secureworks Counter Threat Unit who identified multiple samples. “From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service,” the report said.
How Are DarkTortilla’s Latest Campaigns Carried Out?
The primary distribution method is malicious spam (malspam). Not surprisingly, the emails are designed to trick the receiver into opening the malicious payload, hidden in an archive attachment with file types including .iso, .zip, .img, .dmg, and .tar. The emails are customized according to the target’s language, and can be written in English, German, Romanian, Spanish, Italian, and Bulgarian, as revealed by the detected samples.
The crypter consists of two inter-connected components that enable the payload’s delivery: a .NET-based executable, which is the initial loader, and a .NET-based DLL, or the core processor.
The attack starts with the execution of the initial loader which retrieves the encoded core processor. It should be noted that the initial loader decodes, loads, and executes the core processor which then extracts, decrypts, and parses the malware’s configuration.
Depending on DarkTortilla’s configuration, the core processor is capable of the following:
- Displaying a fake message box
- Performing anti-virtual machine checks
- Performing anti-sandbox checks
- Implementing persistence
- Migrating execution to the Windows %TEMP% directory via the “Melt” configuration element
- Processing addon packages
- Migrating execution to its install directory
“Researchers often overlook DarkTortilla and focus on its main payload. However, DarkTortilla is capable of evading detection, is highly configurable, and delivers a wide range of popular and effective malware. Its capabilities and prevalence make it a formidable threat,” the researchers concluded.