"After 7 Years, Long-Term Threat DarkTortilla Crypter Is Still Evolving"

DarkTortilla is a highly pervasive .NET-based crypter that has been flying under the radar since around 2015 and can deliver various malicious payloads. It continues to evolve rapidly, with nearly 10,000 code samples uploaded to VirusTotal over a 16-month period. The crypter typically delivers information-stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine, according to Secureworks' Counter Threat Unit (CTU) researchers. It can also deliver additional malware, benign decoy documents, and executables. DarkTorilla includes many controls aimed at making it difficult for threat hunters to detect, analyze, and eliminate it. Researchers often overlook DarkTortilla in favor of its main payload, but it can evade detection, is highly configurable, and delivers a diverse range of popular and effective malware. A crypter is software that encrypts, obfuscates, and manipulates malware to make it more difficult to detect by security programs. Cybercriminals, according to Trend Micro, use crypters to create malware masquerading as a harmless program in order to bypass security software and infiltrate a targeted system. It encrypts a malicious program and reassembles the code. Typically, crypters are delivered through attachments in spear-phishing emails and spam messages. Secureworks discovered numerous campaigns delivering DarkTortilla via spam emails tailored to the victim while reviewing VirusTotal samples. According to CTU researchers who have seen samples of the email written in English, German, Romanian, Spanish, and Bulgarian, the malicious payload comes in an attachment with various file types ranging from ".zip" and ".iso" to ".img" and ".tar." DarkTortilla includes a .NET executable as the initial loader and a .NET-base DLL as the core processor, which is required to launch the malicious payloads. The initial loader decodes, loads, and executes the core processor, after which the configuration is extracted, decrypted, and parsed. It also checks for Virtual Machines (VMs) and sandboxes, implements persistence, and processes add-on packages. The core processor then injects and executes the configured main payload, as well as enforces its anti-tamper controls. This article continues to discuss findings regarding the DarkTortilla crypter.

The Register reports "After 7 Years, Long-Term Threat DarkTortilla Crypter Is Still Evolving"