Researchers from Secureworks examined "DarkTortilla," a.NET-based crypter used to distribute both well-known malware and custom payloads.
Agent Tesla, AsyncRat, NanoCore, and RedLine were among the information stealers and remote access trojans (RATs) delivered by DarkTortilla, which has probably been active since 2015. It was also detected distributing specific payloads like Cobalt Strike and Metasploit.
Software tools known as crypters enable malware to evade detection by security programs by combining encryption, obfuscation, and code manipulation.
Averaging 93 samples each week between January 2021 and May 2022, the highly adjustable and complicated crypter can also be used to send add-ons, such as additional payloads, decoy documents, and executables. It also looks to be particularly popular among hackers.
SecureWorks analysts have discovered code resemblances with a crypter employed by the RATs Crew threat organization between 2008 and 2011 as well as with malware discovered in 2021, Gameloader.
The malicious spam emails that transmit DarkTortilla include archives with an executable for an initial loader that is used to decode and run a core processor module, either hidden within the email itself or downloaded through text-storage websites like Pastebin.
The researchers have found spam email samples in English, German, Italian, Bulgarian, Romanian, and Spanish languages. These emails are adapted to the target's language.
A complex configuration file that enables the core processor to drop add-on packages like keyloggers, clipboard stealers, and cryptocurrency miners is then used to establish persistence and inject the main RAT payload into memory without leaving a trace on the file system.
The anti-tamper safeguards utilized by DarkTortilla are also significant since they guarantee that both processes used to run the components in memory are restarted right away after termination.
A second executable called a WatchDog, which is intended to monitor the targeted process and rerun it if it is destroyed, specifically enables the persistence of the first loader.
In addition to performing anti-VM and anti-sandbox checks, achieving persistence, migrating execution to the 'tmp' folder, processing add-on packages, and migrating execution to its install directory, DarkTortilla's core processor can be configured to do these things.
To prevent interference with the execution of DarkTortilla or the payload, it then injects its payload within the context of the configured subprocess and, if configured, can also provide anti-tamper protections.
This method is similar to the one used by the threat actor Moses Staff, who was discovered earlier this year using a watchdog-based strategy to prevent any interruption of his payloads. Two additional controls are also used to ensure the persistence of the initial loader as well as the continuing execution of the dumped WatchDog software itself.
Over 17 months from 2021 to May 2022, Secureworks claimed to have found an average of 93 different DarkTortilla samples being posted to the VirusTotal malware database per week. Only roughly nine of the 10,000 samples monitored during that period were used to propagate ransomware, with seven distributing Babuk and two more distributing MedusaLocker.
