[ad_1]
Researchers have noticed two phishing websites — one spoofing a Cisco webpage and the opposite masquerading as a Grammarly website — that risk actors are utilizing to distribute a very pernicious piece of malware referred to as “DarkTortilla.”The .NET-based malware may be configured to ship varied payloads and is understood for features that make it extraordinarily stealthy and chronic on the methods it compromises.A number of risk teams have been utilizing DarkTortilla since at the least 2015 to drop data stealers and distant entry Trojans, corresponding to AgentTesla, AsyncRAT and NanoCore. Some ransomware teams too — such because the operators of Babuk — have used DarkTortilla as a part of their payload supply chain. In lots of of those campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting customers within the malware.DarkTortilla Supply By way of Phishing SitesRecently, researchers at Cyble Analysis and Intelligence Labs recognized a malicious marketing campaign the place risk actors are utilizing two phishing websites, masquerading as reputable websites, to distribute the malware. Cyble surmised that the operators of the marketing campaign are seemingly utilizing spam e mail or on-line adverts to distribute hyperlinks to the 2 websites.Customers who observe the hyperlink to the spoofed Grammarly web site find yourself downloading a malicious file named “GnammanlyInstaller.zip” once they click on on the “Get Grammarly” button. The .zip file incorporates a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in flip downloads an encrypted DLL file from an attacker-controlled distant server. The .NET executable decrypts the encrypted DLL file and masses it into the compromised system’s reminiscence, the place it executes quite a lot of malicious actions, Cyble mentioned.The Cisco phishing website in the meantime seems like a obtain web page for Cisco’s Safe Shopper VPN expertise. However when a consumer clicks on the button to “order” the product, they find yourself downloading a malicious VC++ file from a distant attacker-controlled server as a substitute. The malware triggers a collection of actions that finish with DarkTortilla put in on the compromised system.Cyble’s evaluation of the payload confirmed the malware packing features for persistence, course of injection, doing antivirus and digital machine/sandbox checks, displaying pretend messages, and speaking with its command-and-control (C2) server and downloading extra payloads from it.Cyble’s researchers discovered that to make sure persistence on an contaminated system as an illustration, DarkTortilla drops a duplicate of itself into the system’s Startup folder and creates Run/Winlogin registry entries. As an extra persistence mechanism, DarkTortilla additionally creates a brand new folder named “system_update.exe” on the contaminated system and copies itself into the folder.Subtle & Harmful MalwareDarkTortilla’s pretend message performance in the meantime mainly serves up messages to trick victims into believing the Grammarly or Cisco utility they wished didn’t execute as a result of sure dependent utility elements weren’t obtainable on their system.”The DarkTortilla malware is very subtle .NET-based malware that targets customers within the wild,” Cyble researchers mentioned in a Monday advisory. “The information downloaded from the phishing websites exhibit totally different an infection methods, indicating that the [threat actors] have a classy platform able to customizing and compiling the binary utilizing varied choices.”DarkTortilla, as talked about, typically acts as a first-stage loader for added malware. Researchers from Secureworks’ Counter Menace Unit earlier this 12 months recognized risk actors utilizing DarkTortilla to mass distribute a variety of malware together with, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.In addition they recognized some adversaries utilizing the malware in focused assaults to ship Cobalt Strike and Metasploit post-compromise assault kits. On the time, Secureworks mentioned it had counted at the least 10,000 distinctive DarkTortilla samples because it first noticed a risk actor utilizing the malware in an assault focusing on a essential Microsoft Trade distant code execution vulnerability (CVE-2021-34473) final 12 months.Secureworks assessed DarkTortilla as being very harmful due to its excessive diploma of configurability and its use of open supply instruments like CofuserEX and DeepSea to obfuscate its code. The truth that DarkTortilla’s principal payload is executed fully in reminiscence is one other function that makes the malware harmful and tough to identify, Secureworks famous on the time.
[ad_2]