Home>Blog>The Hacker News Headlines>Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware
The Hacker News Headlines

Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware

DarkTortilla Crypter

A .NET-based evasive crypter named DarkTortilla
has been used by threat actors to distribute a broad array of
commodity malware as well as targeted payloads like Cobalt Strike
and Metasploit, likely since 2015[1].

“It can also deliver ‘add-on packages’ such as additional
malicious payloads, benign decoy documents, and executables,”
cybersecurity firm Secureworks said[2]
in a Wednesday report. “It features robust anti-analysis and
anti-tamper controls that can make detection, analysis, and
eradication challenging.”

Malware delivered by the crypter includes information steakers
and remote access trojans (RATs) such as Agent Tesla, AsyncRat,
NanoCore, and RedLine Stealer. “DarkTortilla has versatility that
similar malware does not,” the researchers noted.

CyberSecurity

Crypters are software tools[3]
that use a combination[4]
of encryption, obfuscation, and code manipulation of malware so as
to bypass detection[5]
by security solutions.

The delivery of DarkTortilla occurs via malicious spam emails
which contain archives with an executable for an initial loader
that’s used to decode and launch a core processor module either
embedded within itself or fetched from text storage sites such as
Pastebin.

DarkTortilla Crypter

The core processor is then responsible for establishing
persistence and injecting the primary RAT payload into memory
without leaving a trail on the file system through an elaborate
configuration file that also allows it to drop add-on packages,
including keyloggers, clipboard stealers, and cryptocurrency
miners.

DarkTortilla is further noteworthy for its use of anti-tamper
controls that ensure both the processes used to execute the
components in memory are immediately rerun upon termination.

Specifically, the persistence of the initial loader is achieved
by means of a second executable referred to as a WatchDog that’s
designed to keep tabs on the designated process and rerun it should
it be killed.

CyberSecurity

This technique is reminiscent of a similar mechanism adopted by
a threat actor called Moses Staff[6], which, earlier this
year, was found relying on a watchdog-based approach to prevent any
interruption to its payloads. Also employed are two other controls
to guarantee the continued execution of the dropped WatchDog
executable itself and the persistence for the initial loader.

Secureworks said it identified an average of 93 unique
DarkTortilla samples being uploaded to the VirusTotal malware
database per week over a 17-month period from January 2021 to May
2022.

“DarkTortilla is capable of evading detection, is highly
configurable, and delivers a wide range of popular and effective
malware,” the researchers concluded. “Its capabilities and
prevalence make it a formidable threat.”

References

  1. ^
    since
    2015     (www.malwarebytes.com)
  2. ^
    said
    (www.secureworks.com)
  3. ^
    software
    tools     (unit42.paloaltonetworks.com)
  4. ^
    combination
    (thehackernews.com)
  5. ^
    bypass
    detection     (thehackernews.com)
  6. ^
    Moses
    Staff     (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.