Researchers this week warned of a complicated, evasive crypter that a number of menace actors are utilizing to distribute a spread of knowledge stealers and remote-access Trojans (RATs).
The crypter, dubbed “DarkTortilla,” is pervasive and chronic, and it packs a number of options designed to assist it keep away from anti-malware and forensics instruments. The .NET-based crypter could be configured to ship quite a few malicious payloads, and may probably be used to plant unlawful content material on a sufferer’s system. It is also able to tricking each customers and sandboxes into believing it’s benign.
Researchers from Secureworks, who first noticed DarkTortilla final October, consider it has been lively since not less than August 2015. Rob Pantazopoulos, senior safety researcher at Secureworks’ Counter Risk Unit (CTU), says menace actors have used DarkTortilla up to now to ship a variety of different malware, together with Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On just a few events, the crypter has additionally been utilized in focused assaults to ship payloads comparable to Metaspolit and Cobalt Strike.
Most just lately, it has been used primarily to ship malware such because the RATs AgentTesla, NanoCore, and AsyncRat, in addition to the information-stealer RedLine.
Considerably unusually for such a broadly used malware distributor, there have been simply 9 cases the place a menace actor used DarkTortilla to distribute ransomware — and 7 of these concerned the Babuk ransomware household.
Pervasive and Versatile
“DarkTortilla first got here into focus for Secureworks in October 2021 after we detected a menace actor leveraging a Microsoft Change distant code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell inside buyer environments,” Pantazopoulos says. “The assault chain finally led to the obtain and execution of the .NET malware that we now name DarkTortilla.”
Secureworks researchers stated that between January 2021 by means of Might, they noticed a mean of 93 distinctive DarkTortilla samples being uploaded to VirusTotal each week. The safety vendor says it has counted greater than 10,000 distinctive DarkTortilla samples because it started monitoring the malware. Like many malware instruments, attackers have been utilizing spam emails with file attachments comparable to .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some cases, they’ve additionally used malicious paperwork to ship the malware.
Extremely Configurable
What makes DarkTortilla harmful is its excessive diploma of configurability and the varied anti-analysis and anti-tampering controls it packs to make detection and evaluation extremely difficult. The malware, for example, makes use of open supply instruments comparable to DeepSea and ConfuserEX to obfuscate its code, and its important payload will get executed fully in reminiscence, Pantazopoulos says.
Additionally, DarkTortilla’s preliminary loader, which is the one part of the malware that touches the file system, accommodates minimal performance, making it arduous to identify.
“Its solely job is to retrieve, decode, and cargo the core processor, which is usually saved as encrypted knowledge inside the preliminary loader’s sources,” he notes. The code itself is generic in nature and tends to fluctuate between samples relying on the obfuscation instruments which were utilized. Because of this, Secureworks has solely been capable of establish a handful of constant markers for the malware — which too are prone to change quickly, the researcher says.
The safety vendor’s evaluation of DarkTortilla confirmed that it migrates execution to the Home windows %TEMP% listing throughout preliminary execution, a function that Pantazopoulos says is troublesome for defenders. One profit in doing this — from the attacker’s perspective — is that it permits DarkTortilla to cover on an contaminated system.
“Second, if the %Delay% configuration aspect is outlined inside the DarkTortilla configuration, the period of time from when DarkTortilla is run to when the primary payload will get executed will increase exponentially,” he says. As an example, with only a few configuration adjustments, attackers can set the malware to execute its important payload a number of minutes after the DarkTortilla executable is run.
“The impression right here is that, when defenders submit the pattern to hottest sandboxes, the pattern will seemingly timeout with out doing something malicious and the sandbox could report that the pattern was benign.”
Bag of Methods
DarkTortilla’s bag of tips features a message field that attackers can use to show customizable, faux messages in regards to the malware being a authentic utility, in regards to the execution failing, or in regards to the software program being corrupted. The objective right here, once more, is to trick customers into believing the malware that’s executing on their system is benign.
“From a options perspective, we discover DarkTortilla’s capability to ship quite a few extra payloads within the type of ‘addons’ to be very fascinating,” Pantazopoulos notes. In a single occasion, the configured addon was a benign decoy Excel spreadsheet that opened because the malware was executing within the background. In one other occasion, Secureworks found the configured addon was a authentic utility installer that ran when the malware was executing. Thus the sufferer assumed they have been putting in a authentic utility.
In a handful of cases, Secureworks noticed menace actors utilizing DarkTortilla to drop addons to disk that have been then not run later. Of the greater than 600 DarkTortilla addons that Secureworks has noticed up to now, solely seven have been dropped to disk and never executed.
The file varieties ranged from executables and configuration recordsdata to PDF paperwork and have been usually dropped to the sufferer’s My Paperwork folder. “Although we have but to see it used this manner, it is vitally doable {that a} menace actor may leverage DarkTortilla to plant unlawful content material on a sufferer’s file system with out their information,” Pantazopoulos says.
