"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages"

Researchers at Cyble Research and Intelligence Labs have identified two phishing sites, one masquerading as a Cisco webpage and the other as a Grammarly site, which threat actors are using to deliver a severe piece of malware known as "DarkTortilla." The .NET-based malware can be modified to deliver numerous payloads and is notorious for its quiet and persistent behavior on compromised systems. Since at least 2015, multiple threat groups have used DarkTortilla to distribute information stealers and Remote Access Trojans (RATs), such as AgentTesla, AsyncRAT, and NanoCore. Additionally, some ransomware gangs, such as the operators of Babuk, have incorporated DarkTortilla into their payload delivery chain. In several of these efforts, attackers have largely employed spam emails with malicious file attachments to infect unsuspecting users with the malware. Cyble's analysis of the payload revealed that the malware is packed with features for persistence, process injection, performing antivirus and virtual machine/sandbox checks, displaying fake messages, connecting with its command-and-control (C2) server, and downloading additional payloads. DarkTortilla places a duplicate of itself into the system's Startup folder and creates Run/Winlogin registry entries to ensure persistence on infected systems. DarkTortilla creates a subdirectory and copies itself into it as an additional persistence method. DarkTortilla's fake message feature serves up messages to deceive victims into believing the Grammarly or Cisco application they wanted could not be executed due to missing necessary application components. This article continues to discuss the spread of DarkTortilla malware through spoofed Grammarly and Cisco sites. 

Dark Reading reports "Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages"