Researchers have stopped a new cybercriminal campaign that uses typo-squatted phishing sites to disseminate the DarkTortilla malware. According to investigations, the malware masquerades as Cisco and Grammarly websites to deceive its targets.
A CISCO phishing website was also found that downloads a file from the attacker-controlled URL when accessed by a victim. The malware starts several tasks, uses AV detection bypassing tactics, and avoids the UAC upon execution.
In addition, the malware in the spoofed Cisco website creates a task scheduler entry for the malware payload to establish persistence within the infected device. Subsequently, the payload recovers and loads the new module called COROTIA[.]dll and operates it from memory. Hence, the module is the legitimate DarkTortilla malware.
The last payload will be responsible for all the illegal activities, such as checking the virtual environment, displaying fake messages, communicating with its command-and-control server, establishing persistence, receiving commands, and downloading more payloads.
The DarkTortilla malware has also spoofed Grammarly.
Based on investigations, the researchers found that the malicious campaigns show various infection techniques for distributing the DarkTortilla malware. Phishing websites that spoof Grammarly download a compromised zip archive when the user presses the ‘Get Grammarly’ button.
The zip archive contained a compromised cabinet file that pretended to be a Grammarly executable. Upon execution, this malicious file deploys another [.]NET-based file in the temp folder and runs it.
Subsequently, the [.]NET executable downloads an encrypted DLL file from a remote server and decrypts it in the infected device through RC4 logic. The decoded DLL is run into the memory and operates other malicious actions in the infected system.
Finally, the malware loads and performs an additional payload to alter the quick launch [.]LNL file’s target path on the targeted system. The malware utilises this method to remain persistent within its target, which could allow them to communicate with its command-and-control server.
The DarkTortilla malware is a strain that could push various malicious payloads and bypass security detections. Therefore, researchers should keep tabs on this malware since it could be very persistent. Cybersecurity experts urge users not to access untrusted links and email attachments without verifying their legitimacy to avoid getting hit by these attacks.
