Tuesday, July 23, 2024
EHA

Beware of Highly Sophisticated DarkTortilla Malware Distributed Via Phishing Sites

Cyble Research and Intelligence Labs (CRIL) detected threat Actors (TAs) distributing the malware DarkTortilla. Since 2015, the complex .NET-based malware known as DarkTortilla has been operating. 

Researchers say that numerous stealers and Remote Access Trojans (RATs) including AgentTesla, AsyncRAT, NanoCore, etc. are known to be dropped by the malware.

DarkTortilla and Its Specific Actions

Security researchers described DarkTortilla’s spreads to users through spam emails with malicious attachments. However, CRIL discovered that the Threat Actors (TAs) responsible for DarkTortilla had built phishing websites to spread the malware.

“We identified two phishing sites masquerading as legitimate Grammarly and Cisco sites. The phishing sites link could reach users via spam email or online ads etc., to infect the users”, CRIL

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/12/Figure-1-Grammarly-Phishing-Site.jpg?resize=1024%2C528&ssl=1
Grammarly Phishing Site

The infection of DarkTortilla is further facilitated by the malicious samples downloaded from the phishing sites. The samples obtained from the two phishing websites use several infection methods to spread the DarkTortilla malware.

Based on the technical analysis, the Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button. The zip file further contains a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” disguising itself as a Grammarly executable.

After the execution, the .NET executable downloads an encrypted file from the remote server decrypts it using RC4 logic, and executes it in the memory. 

The DLL file, which acts as the malware’s final payload and executes additional malicious operations in the system, is then loaded into memory by the malware.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/12/Figure-2-CISCO-Phishing-Site.jpg?resize=1024%2C617&ssl=1
CISCO Phishing Site

Researchers mention that the malware modifies the victims .LNK files target path to maintain its persistence.

“The CISCO phishing site downloads a file from the URL “hxxps://cicsom.com/download/TeamViewerMeeting_Setup_x64.exe” which is a VC++ compiled binary”, CRIL

When the malware is executed, it runs a number of MOV Instructions that copy the encrypted content on the stack for use in additional malicious operations. This method of evading anti-virus detection is employed by the malware.

The malware executes a decryption loop on the encrypted content to get the Portable Executable (PE) file, creates a new registry key, and copies the decrypted PE file as a binary value

The PowerShell mechanism is used by the malware, where it creates a Task scheduler entry as a persistence mechanism. Further, the anti-virtual machine check is carried out by the malware to determine whether the file is running in a managed environment like VMware, Vbox, etc.

“The TAs use typosquatted phishing sites to deliver the DarkTortilla malware. The files downloaded from the phishing sites exhibit different infection techniques, indicating that the TAs should have a sophisticated platform capable of customizing and compiling the binary using various options”, CRIL

Recommendations

  • Do not open suspicious links in emails.
  • Do not download the software from untrusted sources.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Website

Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles