[ad_1]
Researchers have noticed two phishing websites — one spoofing a Cisco webpage and the opposite masquerading as a Grammarly website — that risk actors are utilizing to distribute a very pernicious piece of malware often known as “DarkTortilla.”
The .NET-based malware might be configured to ship varied payloads and is thought for features that make it extraordinarily stealthy and chronic on the programs it compromises.
Multiple risk teams have been utilizing DarkTortilla since at the least 2015 to drop info stealers and distant entry Trojans, similar to AgentTesla, AsyncRAT and NanoCore. Some ransomware teams too — such because the operators of Babuk — have used DarkTortilla as a part of their payload supply chain. In many of those campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting customers within the malware.
DarkTortilla Delivery Via Phishing Sites
Recently, researchers at Cyble Research and Intelligence Labs recognized a malicious marketing campaign the place risk actors are utilizing two phishing websites, masquerading as authentic websites, to distribute the malware. Cyble surmised that the operators of the marketing campaign are possible utilizing spam e mail or on-line advertisements to distribute hyperlinks to the 2 websites.
Users who comply with the hyperlink to the spoofed Grammarly web site find yourself downloading a malicious file named “GnammanlyInstaller.zip” after they click on on the “Get Grammarly” button. The .zip file accommodates a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in flip downloads an encrypted DLL file from an attacker-controlled distant server. The .NET executable decrypts the encrypted DLL file and hundreds it into the compromised system’s reminiscence, the place it executes a wide range of malicious actions, Cyble mentioned.
The Cisco phishing website in the meantime appears like a obtain web page for Cisco’s Secure Client VPN expertise. But when a consumer clicks on the button to “order” the product, they find yourself downloading a malicious VC++ file from a distant attacker-controlled server as a substitute. The malware triggers a sequence of actions that finish with DarkTortilla put in on the compromised system.
Cyble’s evaluation of the payload confirmed the malware packing features for persistence, course of injection, doing antivirus and digital machine/sandbox checks, displaying pretend messages, and speaking with its command-and-control (C2) server and downloading extra payloads from it.
Cyble’s researchers discovered that to make sure persistence on an contaminated system as an example, DarkTortilla drops a replica of itself into the system’s Startup folder and creates Run/Winlogin registry entries. As a further persistence mechanism, DarkTortilla additionally creates a brand new folder named “system_update.exe” on the contaminated system and copies itself into the folder.
Sophisticated & Dangerous Malware
DarkTortilla’s pretend message performance in the meantime principally serves up messages to trick victims into believing the Grammarly or Cisco software they wished didn’t execute as a result of sure dependent software parts weren’t accessible on their system.
“The DarkTortilla malware is extremely subtle .NET-based malware that targets customers within the wild,” Cyble researchers mentioned in a Monday advisory. “The recordsdata downloaded from the phishing websites exhibit completely different an infection strategies, indicating that the [threat actors] have a complicated platform able to customizing and compiling the binary utilizing varied choices.”
DarkTortilla, as talked about, usually acts as a first-stage loader for extra malware. Researchers from Secureworks’ Counter Threat Unit earlier this 12 months recognized risk actors utilizing DarkTortilla to mass distribute a variety of malware together with, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.
They additionally recognized some adversaries utilizing the malware in focused assaults to ship Cobalt Strike and Metasploit post-compromise assault kits. At the time, Secureworks mentioned it had counted at the least 10,000 distinctive DarkTortilla samples because it first noticed a risk actor utilizing the malware in an assault focusing on a essential Microsoft Exchange distant code execution vulnerability (CVE-2021-34473) final 12 months.
Secureworks assessed DarkTortilla as being very harmful due to its excessive diploma of configurability and its use of open supply instruments like CofuserEX and DeepSea to obfuscate its code. The indisputable fact that DarkTortilla’s primary payload is executed totally in reminiscence is one other function that makes the malware harmful and tough to identify, Secureworks famous on the time.