7 Years, Long-Term Threat DarkTortilla Crypter is Still Evolving

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://www.theregister.com/2022/08/17/darktortilla_crypter_malware_secureworks/
A highly pervasive .NET-based crypter that has flown under the radar since about 2015 and can deliver a wide range of malicious payloads continues to evolve rapidly, with almost 10,000 code samples being uploaded to VirusTotal over a 16-month period.

Dubbed "DarkTortilla," the crypter usually delivers information stealers and remote access trojans (RATs) like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit, according to researchers with Secureworks' Counter Threat Unit (CTU). It also can deliver add-on packages like other malware, benign decoy documents, and executables. DarkTorilla also comes with an array of controls designed to make it difficult for threat hunters to detect, analyze, and eliminate it. "Researchers often overlook DarkTortilla and focus on its main payload," the CTU analysts wrote in a report released Wednesday. "However, DarkTortilla is capable of evading detection, is highly configurable, and delivers a wide range of popular and effective malware. Its capabilities and prevalence make it a formidable threat."
Click to expand...
A crypter is software designed to encrypt, obfuscate, and manipulate malware to make it more difficult for security programs to detect it. According to cybersecurity vendor Trend Micro, cybercriminals use crypters to create malware that presents itself as a harmless program to get pass security software and get installed in a targeted system. The crypters encrypt a malicious program and reassemble the code. Normally crypters are sent via attachments in spear-phishing emails and spammed messages. Secureworks, reviewing VirusTotal samples, found "numerous campaigns" delivering DarkTortilla through spam emails are customized to the victim. The malicious payload comes in an attachment with a range of file types, from .zip and .iso to .img and .tar., according to the CTU, researchers, who have seen samples of the email written in English, German, Romanian, Spanish, and Bulgarian.

Rob Pantazopoulos, senior security researcher with the CTU, told The Register that it's unusual for malware like DarkTortilla to be active for so long and not be detected, but that it was helped by being among a number of generic .NET-based crypters, loaders, and droppers in the wild. In addition, many of these malware are encoded using code obfuscators like ConfuserEX, DeapSea, and Eazfuscator.
Click to expand...
www.theregister.com

Overlooked DarkTortilla crypter is a long-term cyberthreat

.NET-based malware can push wide range of malicious payloads, and evades detection, Secureworks says
www.theregister.com www.theregister.com
 
  • +Reputation
  • Like
Reactions: Gandalf_The_Grey, Nevi, Venustus and 3 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic
Replies
1
Views
600
News Archive
MuzzMelbourne
MuzzMelbourne
[correlate]
    • Like
    • +Reputation
Snip3 Crypter Reveals New TTPs Over Time
Replies
0
Views
527
News Archive
[correlate]
[correlate]
Gandalf_The_Grey
    • +Reputation
    • Like
AceCryptor: Cybercriminals' Powerful Weapon, Detected in 240K+ Attacks
Replies
0
Views
777
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top