Tuesday, March 5, 2024

Beware of Highly Sophisticated DarkTortilla Malware Distributed Via Phishing Sites

Cyble Research and Intelligence Labs (CRIL) detected threat Actors (TAs) distributing the malware DarkTortilla. Since 2015, the complex .NET-based malware known as DarkTortilla has been operating. 

Researchers say that numerous stealers and Remote Access Trojans (RATs) including AgentTesla, AsyncRAT, NanoCore, etc. are known to be dropped by the malware.

DarkTortilla and Its Specific Actions

Security researchers described DarkTortilla’s spreads to users through spam emails with malicious attachments. However, CRIL discovered that the Threat Actors (TAs) responsible for DarkTortilla had built phishing websites to spread the malware.

“We identified two phishing sites masquerading as legitimate Grammarly and Cisco sites. The phishing sites link could reach users via spam email or online ads etc., to infect the users”, CRIL

Grammarly Phishing Site

The infection of DarkTortilla is further facilitated by the malicious samples downloaded from the phishing sites. The samples obtained from the two phishing websites use several infection methods to spread the DarkTortilla malware.

Based on the technical analysis, the Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button. The zip file further contains a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” disguising itself as a Grammarly executable.

After the execution, the .NET executable downloads an encrypted file from the remote server decrypts it using RC4 logic, and executes it in the memory. 

The DLL file, which acts as the malware’s final payload and executes additional malicious operations in the system, is then loaded into memory by the malware.

CISCO Phishing Site

Researchers mention that the malware modifies the victims .LNK files target path to maintain its persistence.

“The CISCO phishing site downloads a file from the URL “hxxps://cicsom.com/download/TeamViewerMeeting_Setup_x64.exe” which is a VC++ compiled binary”, CRIL

When the malware is executed, it runs a number of MOV Instructions that copy the encrypted content on the stack for use in additional malicious operations. This method of evading anti-virus detection is employed by the malware.

The malware executes a decryption loop on the encrypted content to get the Portable Executable (PE) file, creates a new registry key, and copies the decrypted PE file as a binary value

The PowerShell mechanism is used by the malware, where it creates a Task scheduler entry as a persistence mechanism. Further, the anti-virtual machine check is carried out by the malware to determine whether the file is running in a managed environment like VMware, Vbox, etc.

“The TAs use typosquatted phishing sites to deliver the DarkTortilla malware. The files downloaded from the phishing sites exhibit different infection techniques, indicating that the TAs should have a sophisticated platform capable of customizing and compiling the binary using various options”, CRIL


  • Do not open suspicious links in emails.
  • Do not download the software from untrusted sources.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book


Latest articles

GTPDOOR – Previously Unknown Linux Malware Attack Telecom Networks

Researchers have discovered a new backdoor named GTPDOOR that targets telecommunication network systems within...

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles