DarkTortilla Malware Wraps in Sophistication for High-Volume RAT Infections

  /     /     /  
Publicated : 23/11/2024   Category : security


DarkTortilla Malware Wraps in Sophistication for High-Volume RAT Infections


The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.



Researchers this week warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and remote-access Trojans (RATs).
The crypter, dubbed DarkTortilla, is pervasive and persistent, and it packs multiple features designed to help it avoid anti-malware and forensics tools. The .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victims system. Its also capable of tricking both users and sandboxes into believing it is benign.
Researchers from Secureworks, who first spotted DarkTortilla last October, believe it has been active since at least August 2015. Rob Pantazopoulos, senior security researcher at Secureworks Counter Threat Unit (CTU), says threat actors have used DarkTortilla in the past to deliver a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.
Most recently, its been used mainly to deliver malware such as the RATs
AgentTesla
,
NanoCore, and AsyncRat
, as well as the information-stealer RedLine.
Somewhat unusually for such a widely used malware distributor, there have been just nine instances where a threat actor used DarkTortilla to distribute ransomware — and seven of those involved the Babuk ransomware family.
DarkTortilla first came into focus for Secureworks in October 2021 when we detected a threat actor leveraging a Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments, Pantazopoulos says. The attack chain eventually led to the download and execution of the .NET malware that we now call DarkTortilla.
Secureworks researchers said that between January 2021 through May, they
spotted an average of 93 unique DarkTortilla samples
being uploaded to VirusTotal every week. The security vendor says it has counted more than 10,000 unique DarkTortilla samples since it began tracking the malware. Like many malware tools, attackers have been using spam emails with file attachments such as .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some instances, they have also used malicious documents to deliver the malware.
What makes DarkTortilla dangerous is its high degree of configurability and the various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory, Pantazopoulos says.
Also, DarkTortillas initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.
Its only job is to retrieve, decode, and load the core processor, which is typically stored as encrypted data within the initial loaders resources, he notes. The code itself is generic in nature and tends to vary between samples depending on the obfuscation tools that have been applied. As a result, Secureworks has only been able to identify a handful of consistent markers for the malware — which too are likely to change soon, the researcher says.
The security vendors analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that Pantazopoulos says is troublesome for defenders. One benefit in doing this — from the attackers perspective — is that it allows DarkTortilla to hide on an infected system.
Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially, he says. For instance, with just a few configuration changes, attackers can set the malware to execute its main payload several minutes after the DarkTortilla executable is run.
The impact here is that, when defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign.
DarkTortillas bag of tricks includes a message box that attackers can use to display customizable, fake messages about the malware being a legitimate application, about the execution failing, or about the software being corrupted. The goal here, again, is to trick users into believing the malware that is executing on their system is benign.
From a features perspective, we find DarkTortillas ability to deliver numerous additional payloads in the form of addons to be very interesting, Pantazopoulos notes. In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, Secureworks discovered the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.
In a handful of instances, Secureworks observed threat actors using DarkTortilla to drop addons to disk that were then not run later. Of the more than 600 DarkTortilla addons that Secureworks has observed so far, only seven were dropped to disk and not executed.
The file types ranged from executables and configuration files to PDF documents and were typically dropped to the victims My Documents folder. Though weve yet to see it used this way, it is very possible that a threat actor could leverage DarkTortilla to plant illegal content on a victims file system without their knowledge, Pantazopoulos says.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DarkTortilla Malware Wraps in Sophistication for High-Volume RAT Infections