Thursday, May 8, 2025
HomeMalwareBeware of Highly Sophisticated DarkTortilla Malware Distributed Via Phishing Sites

Beware of Highly Sophisticated DarkTortilla Malware Distributed Via Phishing Sites

Published on

SIEM as a Service

Follow Us on Google News

Cyble Research and Intelligence Labs (CRIL) detected threat Actors (TAs) distributing the malware DarkTortilla. Since 2015, the complex .NET-based malware known as DarkTortilla has been operating. 

Researchers say that numerous stealers and Remote Access Trojans (RATs) including AgentTesla, AsyncRAT, NanoCore, etc. are known to be dropped by the malware.

DarkTortilla and Its Specific Actions

Security researchers described DarkTortilla’s spreads to users through spam emails with malicious attachments. However, CRIL discovered that the Threat Actors (TAs) responsible for DarkTortilla had built phishing websites to spread the malware.

- Advertisement - Google News

“We identified two phishing sites masquerading as legitimate Grammarly and Cisco sites. The phishing sites link could reach users via spam email or online ads etc., to infect the users”, CRIL

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/12/Figure-1-Grammarly-Phishing-Site.jpg?resize=1024%2C528&ssl=1
Grammarly Phishing Site

The infection of DarkTortilla is further facilitated by the malicious samples downloaded from the phishing sites. The samples obtained from the two phishing websites use several infection methods to spread the DarkTortilla malware.

Based on the technical analysis, the Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button. The zip file further contains a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” disguising itself as a Grammarly executable.

After the execution, the .NET executable downloads an encrypted file from the remote server decrypts it using RC4 logic, and executes it in the memory. 

The DLL file, which acts as the malware’s final payload and executes additional malicious operations in the system, is then loaded into memory by the malware.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/12/Figure-2-CISCO-Phishing-Site.jpg?resize=1024%2C617&ssl=1
CISCO Phishing Site

Researchers mention that the malware modifies the victims .LNK files target path to maintain its persistence.

“The CISCO phishing site downloads a file from the URL “hxxps://cicsom.com/download/TeamViewerMeeting_Setup_x64.exe” which is a VC++ compiled binary”, CRIL

When the malware is executed, it runs a number of MOV Instructions that copy the encrypted content on the stack for use in additional malicious operations. This method of evading anti-virus detection is employed by the malware.

The malware executes a decryption loop on the encrypted content to get the Portable Executable (PE) file, creates a new registry key, and copies the decrypted PE file as a binary value

The PowerShell mechanism is used by the malware, where it creates a Task scheduler entry as a persistence mechanism. Further, the anti-virtual machine check is carried out by the malware to determine whether the file is running in a managed environment like VMware, Vbox, etc.

“The TAs use typosquatted phishing sites to deliver the DarkTortilla malware. The files downloaded from the phishing sites exhibit different infection techniques, indicating that the TAs should have a sophisticated platform capable of customizing and compiling the binary using various options”, CRIL

Recommendations

  • Do not open suspicious links in emails.
  • Do not download the software from untrusted sources.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...