The DarkTortilla crypter still develops as an invasive malware

August 25, 2022
DarkTortilla Crypter Invasive Malware dotNet TTP Infostealer

A study was conducted on the highly pervasive and rapidly evolving malware crypter called DarkTortilla, revealing that since it went silent in 2015, it is still performing attacks on its victims using more upgraded TTPs. DarkTortilla is a crypter that spreads info-stealing payloads and remote access trojans. Some notable RATs that the crypter had propagated include AsyncRAT, RedLine, and AgentTesla.

Moreover, DarkTortilla can launch other malware strains, malicious documents, and executables on the victim’s system. Its operators have also designed it to be elusive, making it a payload type that is difficult to detect.

Crypters like DarkTortilla help malware by encrypting, obfuscating, and manipulating them to become more elusive against security detection. In some cases, crypters are sent through phishing emails as a ‘harmless’ program which could help bypass all security hindrances as the malware is launched towards the victim system.

 

In some past campaigns delivering the DarkTortilla crypter, the researchers found that it comes in an attachment customised to a targeted victim.

 

Security researchers speculate why DarkTortilla has not been detected despite its activities and rapid growth. However, they also think that it might be due to how most crypters in the wild are [.]NET-based payloads, hence are often overlooked.

There are two components in DarkTortilla’s design. The first is a [.]NET-based executable for its initial loader, while the second is a [.]NET-based DLL for its core processor. These two components are necessary for the crypter to launch the main malware payload on the victim’s system, each having distinctive features and capabilities.

DarkTortilla can deliver a wide list of malware strains. This fact makes researchers believe it is sold as a service for several threat groups in the cybercrime landscape to help them in their attacks.

Experts believe that since DarkTortilla’s emergence, it has been continually developed and given several variations by its operators – all of these evolutions while staying off the radar. Some analyses on the crypter revealed that its initial loader was updated, and some changes in its core processor DLL were noticed.

About the author

Leave a Reply