Threat Research

Cyble – Sophisticated DarkTortilla Malware Spreading Via Phishing Sites

Securonix

CRIL uncovered a sophisticated DarkTortilla campaign distributed via typosquatted phishing sites impersonating Grammarly and Cisco that deliver a .NET-based loader and a final payload. The operation uses multiple infection techniques, in-memory execution, LNK-based persistence, PowerShell, and registry/Task Scheduler persistence to drop additional RATs like AgentTesla and NanoCore. Hashtags: #DarkTortilla #Grammarly

Keypoints

  • Threat Actors spread the DarkTortilla malware through two phishing sites masquerading as Grammarly and Cisco to disseminate the loader.
  • Grammarly site delivers a CAB-based loader (GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe) that drops EMPLOY~2.EXE and decrypts a remote payload from atomm.com.br using RC4.
  • The decrypted payload results in Kreocxoyxpcstfwtjlrj.dll, which executes in memory to perform core malicious activities.
  • The Cisco site delivers a VC++ binary (TeamViewerMeeting_Setup_x64.exe) that copies encrypted content to the stack and facilitates anti-VM and post-exploitation steps.
  • COROTIA.dll is loaded as the final DarkTortilla payload, enabling persistence, process injection, C2 communication, and command delivery.
  • Persistence is achieved via LNK file modification, Run/Startup registry entries, and a scheduled task for Battle.net-Setup.exe, with PowerShell and UAC bypass used during execution.
  • DarkTortilla can download additional RATs (e.g., AgentTesla, NanoCore, AsyncRAT) from its C2 infrastructure after establishing access.

MITRE Techniques

  • [T1566] Phishing – Attackers used typosquatted phishing sites masquerading as Grammarly and Cisco to deliver DarkTortilla. “phishing sites masquerading as legitimate Grammarly and Cisco sites”
  • [T1204] User Execution – The Grammarly phishing site downloads a malicious zip file when the user clicks on the “Get Grammarly” Button. “the Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button”
  • [T1036] Masquerading – The cabinet file (.CAB) masquerades as a Grammarly executable. “cabinet file (.CAB) which, after execution, drops a .NET-based “EMPLOY~2.EXE” file”
  • [T1140] Deobfuscate/Decode Files or Information – The loaded payload is decrypted from an encrypted file via RC4 and executed in memory. “decrypts it using RC4 logic and executes in the memory”
  • [T1105] Ingress Tool Transfer – The malware downloads an encrypted payload from a remote server for execution. “downloads an encrypted file from the remote server …”
  • [T1023] Shortcut Modification – The LNK-based persistence modifies the target paths to run additional payloads. “modifies the target path of .LNK files … to execute the respective “.bat” files”
  • [T1053] Scheduled Task – Creates a Task Scheduler entry for persistence. “creates a Task scheduler entry for “Battle.net-Setup.exe” as a persistence mechanism”
  • [T1547] Registry Run Keys / Start-up Folder – Auto-start persistence via registry keys and Startup folder. “dropping a copy of itself into the Startup folder and creating Run/Winlogon registry entries”
  • [T1059.001] PowerShell – Uses PowerShell commands to load and execute payloads. “PowerShell command loads the binary value from the registry key … and saves it in the “LOCALAPPDATA” folder as “Battle.net-Setup.exe” and then executes it.”
  • [T1055] Process Injection – The final payload loads into memory and performs process injection among other actions. “COROTIA.dll is the actual DarkTortilla payload responsible for all the malicious activities such as creating persistence, process injection, …”
  • [T1071] Application Layer Protocol – C2 communications and command delivery over application-layer protocols. “communicating to its C&C server, receiving commands, downloading additional payloads”

Indicators of Compromise

  • [Domain] Gnammarly.com – Fake Grammarly website, used to lure victims
  • [Domain] Cicsom.com – Fake Cisco website used for infection distribution
  • [Hash] EMPLOY~2.EXE – 92d8f17d9c5ee8169b4995c4b154dc47e401f41affda88da58fbc6b867145878
  • [Hash] Kreocxoyxpcstfwtjlrj.dll – c5d91e6209d0db07e0d2f3a88bdb97d7fb9ccc0b906c514b5648f6f1aa104d3e
  • [Hash] GnammanlyInstaller.zip – f37297ca392c822e40f1409e707f72e5 (MD5/SHA1/SHA256 trio listed; notable file)
  • [Hash] GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe – 04a332bcd6b64627f1e9cf1415293bbb / 0b9fbce7e2db72091974c90ad95b5c0ac82c15ce / 92d8f17d9c5ee8169b4995c4b154dc47e401f41affda88da58fbc6b867145878 (SHA256)
  • [URL] hxxps://atomm.com[.]br/.well-known/acme-challenge/ol/Fjawtld[.]png – Encrypted payload delivery URL
  • [File] Battle.net-Setup.exe – 76956df7cae35333a22e1a5f47d1c7f9d7bf2a98bd9dab7727092f2224cdd229
  • [File] TeamViewerMeeting_Setup_x64.exe – 2fd30bb80e88cf859fcc2ca6750f2c2fdf6ef64d893e6e8abb275ffd986e3f18fbc0fedd
  • [File] COROTIA.dll – 79759748574e4537ef921ef939a82678c6f20fe67c0d3fd403ebf20aa7d57d235ce0215e

Read more: https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites/