Beware of Highly Sophisticated DarkTortilla Malware Distributed Via Phishing Sites

Cyble Research and Intelligence Labs (CRIL) detected threat Actors (TAs) distributing the malware DarkTortilla. Since 2015, the complex .NET-based malware known as DarkTortilla has been operating. 

Researchers say that numerous stealers and Remote Access Trojans (RATs) including AgentTesla, AsyncRAT, NanoCore, etc. are known to be dropped by the malware.

DarkTortilla and Its Specific Actions

Security researchers described DarkTortilla’s spreads to users through spam emails with malicious attachments. However, CRIL discovered that the Threat Actors (TAs) responsible for DarkTortilla had built phishing websites to spread the malware.

“We identified two phishing sites masquerading as legitimate Grammarly and Cisco sites. The phishing sites link could reach users via spam email or online ads etc., to infect the users”, CRIL

The infection of DarkTortilla is further facilitated by the malicious samples downloaded from the phishing sites. The samples obtained from the two phishing websites use several infection methods to spread the DarkTortilla malware.

Based on the technical analysis, the Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button. The zip file further contains a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” disguising itself as a Grammarly executable.

After the execution, the .NET executable downloads an encrypted file from the remote server decrypts it using RC4 logic, and executes it in the memory. 

The DLL file, which acts as the malware’s final payload and executes additional malicious operations in the system, is then loaded into memory by the malware.

Researchers mention that the malware modifies the victims .LNK files target path to maintain its persistence.

“The CISCO phishing site downloads a file from the URL “hxxps://cicsom.com/download/TeamViewerMeeting_Setup_x64.exe” which is a VC++ compiled binary”, CRIL

When the malware is executed, it runs a number of MOV Instructions that copy the encrypted content on the stack for use in additional malicious operations. This method of evading anti-virus detection is employed by the malware.

The malware executes a decryption loop on the encrypted content to get the Portable Executable (PE) file, creates a new registry key, and copies the decrypted PE file as a binary value

The PowerShell mechanism is used by the malware, where it creates a Task scheduler entry as a persistence mechanism. Further, the anti-virtual machine check is carried out by the malware to determine whether the file is running in a managed environment like VMware, Vbox, etc.

“The TAs use typosquatted phishing sites to deliver the DarkTortilla malware. The files downloaded from the phishing sites exhibit different infection techniques, indicating that the TAs should have a sophisticated platform capable of customizing and compiling the binary using various options”, CRIL

Recommendations

• Do not open suspicious links in emails.
• Do not download the software from untrusted sources.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.