![]() ![]() Most of these maldocs embed the DarkTortilla initial loader executable as a Packager Shell Object. (Source: Secureworks)ĬTU researchers also identified malicious documents (maldocs) delivering DarkTortilla. (The German text translates to "Good morning, Please give us your best price offer for our attached order. Crypter dashboard archive#DarkTortilla malspam containing malicious archive attachment. This executable is a DarkTortilla initial loader sample.įigure 1. The archive file contains a single executable with the same filename but the. It is unclear if that organization was compromised. The redacted filename of the attached ISO image archive file (.iso) includes the name of the organization the email was sent from. Figure 1 shows a German-language malspam sample. The language of the email message is customized to the victim, and CTU researchers observed samples in English, German, Romanian, Spanish, Italian, and Bulgarian. The emails typically use a logistics lure and include the malicious payload in an archive attachment with file types such as. DeliveryĬTU™ analysis of VirusTotal samples revealed numerous campaigns delivering DarkTortilla via malicious spam (malspam). Crypter dashboard code#Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 20, and the Gameloader malware that emerged in 2021. ![]() It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.įrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. ![]() It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. NET-based crypter that has possibly been active since at least August 2015. DarkTortilla is a complex and highly configurable. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |