Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.
Likely active since 2015, DarkTortilla was designed to keep malicious payloads hidden from detection software, and was previously seen delivering remote access trojans (RATs) and information stealers – AgentTesla, AsyncRat, NanoCore, and RedLine – as well as targeted payloads such as Cobalt Strike and Metasploit.
Highly configurable and complex, the crypter can also be used for the delivery of addons – additional payloads, decoy documents, and executables – and appears to be very popular among threat actors, with an average of 93 samples submitted to VirusTotal each week between January 2021 and May 2022.
During their analysis of the threat, Secureworks’ researchers have identified code similarities with a crypter that the RATs Crew threat group used between 2008 and 2011, and similarities with the Gameloader malware seen in 2021.
DarkTortilla, which packs robust anti-analysis and anti-tamper controls, is typically delivered via malicious spam, with the observed emails carrying .dmg, .iso, .img, .tar, or .zip attachments.
The spam emails have been customized to match the target’s language, and the researchers have identified samples in English, German, Italian, Bulgarian, Romanian, and Spanish.
Malicious documents delivering DarkTortilla embed the malware’s initial loader as a Packager Shell Object and ask the intended victim to double click it, or feature embedded macros designed to automate the execution of the Packager Shell Object.
The initial loader is a .NET-based executable that is complemented by a .NET-based DLL representing DarkTortilla’s core processor. While the code processor is typically embedded within the loader’s resources, the researchers have seen it being retrieved from public sites such as Pastebin, Textbin, and Paste.
“The initial loader decodes, loads, and executes the core processor. When executed, the core processor extracts, decrypts, and parses its configuration. The encrypted configuration is stored within the .NET resources of the initial loader as bitmap images,” Secureworks explains.
DarkTortilla’s core processor can be configured to display a fake message box, perform anti-VM and anti-sandbox checks, achieve persistence, migrate execution to the ‘temp’ folder, process addon packages, and migrate execution to its install directory.
Next, it injects its payload within the context of the configured subprocess, and can also implement anti-tamper controls, if configured to prevent interference with DarkTortilla’s or the payload’s execution.
Although often overlooked by security researchers, DarkTortilla should be considered a formidable threat, due to its evasion capabilities, configurability, and its use with a wide range of popular and effective malware, Secureworks concludes.