Researchers have noticed two phishing websites — one spoofing a Cisco webpage and the opposite masquerading as a Grammarly web site — that risk actors are utilizing to distribute a very pernicious piece of malware generally known as “DarkTortilla.”
The .NET-based malware may be configured to ship varied payloads and is thought for capabilities that make it extraordinarily stealthy and chronic on the programs it compromises.
A number of risk teams have been utilizing DarkTortilla since no less than 2015 to drop info stealers and distant entry Trojans, reminiscent of AgentTesla, AsyncRAT and NanoCore. Some ransomware teams too — such because the operators of Babuk — have used DarkTortilla as a part of their payload supply chain. In lots of of those campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting customers within the malware.
DarkTortilla Supply By way of Phishing Websites
Lately, researchers at Cyble Analysis and Intelligence Labs recognized a malicious marketing campaign the place risk actors are utilizing two phishing websites, masquerading as reliable websites, to distribute the malware. Cyble surmised that the operators of the marketing campaign are seemingly utilizing spam electronic mail or on-line advertisements to distribute hyperlinks to the 2 websites.
Customers who comply with the hyperlink to the spoofed Grammarly web site find yourself downloading a malicious file named “GnammanlyInstaller.zip” after they click on on the “Get Grammarly” button. The .zip file accommodates a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in flip downloads an encrypted DLL file from an attacker-controlled distant server. The .NET executable decrypts the encrypted DLL file and masses it into the compromised system’s reminiscence, the place it executes a wide range of malicious actions, Cyble stated.
The Cisco phishing web site in the meantime seems to be like a obtain web page for Cisco’s Safe Shopper VPN expertise. However when a consumer clicks on the button to “order” the product, they find yourself downloading a malicious VC++ file from a distant attacker-controlled server as an alternative. The malware triggers a collection of actions that finish with DarkTortilla put in on the compromised system.
Cyble’s evaluation of the payload confirmed the malware packing capabilities for persistence, course of injection, doing antivirus and digital machine/sandbox checks, displaying pretend messages, and speaking with its command-and-control (C2) server and downloading further payloads from it.
Cyble’s researchers discovered that to make sure persistence on an contaminated system as an illustration, DarkTortilla drops a duplicate of itself into the system’s Startup folder and creates Run/Winlogin registry entries. As a further persistence mechanism, DarkTortilla additionally creates a brand new folder named “system_update.exe” on the contaminated system and copies itself into the folder.
Refined & Harmful Malware
DarkTortilla’s pretend message performance in the meantime mainly serves up messages to trick victims into believing the Grammarly or Cisco software they needed did not execute as a result of sure dependent software parts weren’t out there on their system.
“The DarkTortilla malware is very subtle .NET-based malware that targets customers within the wild,” Cyble researchers stated in a Monday advisory. “The recordsdata downloaded from the phishing websites exhibit completely different an infection strategies, indicating that the [threat actors] have a classy platform able to customizing and compiling the binary utilizing varied choices.”
DarkTortilla, as talked about, typically acts as a first-stage loader for extra malware. Researchers from Secureworks’ Counter Menace Unit earlier this yr recognized risk actors utilizing DarkTortilla to mass distribute a variety of malware together with, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.
Additionally they recognized some adversaries utilizing the malware in focused assaults to ship Cobalt Strike and Metasploit post-compromise assault kits. On the time, Secureworks stated it had counted no less than 10,000 distinctive DarkTortilla samples because it first noticed a risk actor utilizing the malware in an assault concentrating on a important Microsoft Alternate distant code execution vulnerability (CVE-2021-34473) final yr.
Secureworks assessed DarkTortilla as being very harmful due to its excessive diploma of configurability and its use of open supply instruments like CofuserEX and DeepSea to obfuscate its code. The truth that DarkTortilla’s foremost payload is executed fully in reminiscence is one other function that makes the malware harmful and tough to identify, Secureworks famous on the time.
