- Jul 27, 2015
A highly pervasive .NET-based crypter that has flown under the radar since about 2015 and can deliver a wide range of malicious payloads continues to evolve rapidly, with almost 10,000 code samples being uploaded to VirusTotal over a 16-month period.
Dubbed "DarkTortilla," the crypter usually delivers information stealers and remote access trojans (RATs) like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit, according to researchers with Secureworks' Counter Threat Unit (CTU). It also can deliver add-on packages like other malware, benign decoy documents, and executables. DarkTorilla also comes with an array of controls designed to make it difficult for threat hunters to detect, analyze, and eliminate it. "Researchers often overlook DarkTortilla and focus on its main payload," the CTU analysts wrote in a report released Wednesday. "However, DarkTortilla is capable of evading detection, is highly configurable, and delivers a wide range of popular and effective malware. Its capabilities and prevalence make it a formidable threat."
A crypter is software designed to encrypt, obfuscate, and manipulate malware to make it more difficult for security programs to detect it. According to cybersecurity vendor Trend Micro, cybercriminals use crypters to create malware that presents itself as a harmless program to get pass security software and get installed in a targeted system. The crypters encrypt a malicious program and reassemble the code. Normally crypters are sent via attachments in spear-phishing emails and spammed messages. Secureworks, reviewing VirusTotal samples, found "numerous campaigns" delivering DarkTortilla through spam emails are customized to the victim. The malicious payload comes in an attachment with a range of file types, from .zip and .iso to .img and .tar., according to the CTU, researchers, who have seen samples of the email written in English, German, Romanian, Spanish, and Bulgarian.
Rob Pantazopoulos, senior security researcher with the CTU, told The Register that it's unusual for malware like DarkTortilla to be active for so long and not be detected, but that it was helped by being among a number of generic .NET-based crypters, loaders, and droppers in the wild. In addition, many of these malware are encoded using code obfuscators like ConfuserEX, DeapSea, and Eazfuscator.