Secureworks CTU uncovers new information about DarkTortilla malware
Secureworks CTU researchers have found new information about the DarkTortilla malware, revealing more about its versatility and scope within the threat landscape.
Highly complex and also highly configurable, the .NET-based crypter malware has possibly been active since at least August 2015, causing widespread harm and security issues around the globe.
It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine to further break down security and infiltrate networks.
In a new development, the Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit.
They found that DarkTortilla can be configured to deliver add-on packages such as additional malicious payloads and/or benign decoy documents/executables, creating further harm on a wider scale.
Analysis of VirusTotal samples also revealed numerous campaigns delivering DarkTortilla via maliciousspam (malspam). Emails typically use a logistics lure and include the malicious payload in an archive attachment with file types such as .iso, .zip, .img, .dmg, and .tar.
These types of technologies have been described as very robust, with anti-analysis and anti-tamper controls that can make detection, analysis, and eradication very challenging.
From January 2021 through May 2022, it was found that an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Because DarkTortilla is capable of evading detection, it remains highly configurable and can deliver a wide range of popular and effective malware.
Another issue discovered is that since the malware's primary payload is executed from within memory, no evidence of the payload will be found on the filesystem. The anti-tamper aspect of DarkTortilla ensures that it remains persistent in an environment and is hard to address.
This versatility is often not found in similar malware, making DarkTortilla even more dangerous. It can be configured with numerous payloads, supports multiple persistence types, and is capable of displaying a customisable message box to the victim. It can also migrate its execution various times during its initial execution.
It was found that additional payloads can be configured to be dropped to the filesystem (but not executed), dropped to the filesystem and executed, or executed from within memory via process injection.
Code similarities have also suggested possible links between DarkTortilla and other malware. This was in the form of a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.