Specifically, the persistence of the initial loader is achieved by means of a second executable referred to as a WatchDog that’s designed to keep tabs on the designated process and rerun it should it be killed. The core processor is then responsible for establishing persistence and injecting the primary RAT payload into memory without leaving a trail on the file system through an elaborate configuration file that also allows it to drop add-on packages, including keyloggers, clipboard stealers, and cryptocurrency miners.ĭarkTortilla is further noteworthy for its use of anti-tamper controls that ensure both the processes used to execute the components in memory are immediately rerun upon termination. The delivery of DarkTortilla occurs via malicious spam emails which contain archives with an executable for an initial loader that’s used to decode and launch a core processor module either embedded within itself or fetched from text storage sites such as Pastebin. “DarkTortilla has versatility that similar malware does not,” the researchers noted.Ĭrypters are software tools that use a combination of encryption, obfuscation, and code manipulation of malware so as to bypass detection by security solutions. Malware delivered by the crypter includes information steakers and remote access trojans (RATs) such as Agent Tesla, AsyncRat, NanoCore, and RedLine Stealer. “It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.” “It can also deliver ‘add-on packages’ such as additional malicious payloads, benign decoy documents, and executables,” cybersecurity firm Secureworks said in a Wednesday report. NET-based evasive crypter named DarkTortilla has been used by threat actors to distribute a broad array of commodity malware as well as targeted payloads like Cobalt Strike and Metasploit, likely since 2015.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |