DarkTortilla is a highly configurable .NET-based crypter that delivers commodity information stealers and RATs, with targeted payloads such as Cobalt Strike and Metasploit. It uses a two-component architecture (initial loader and core processor) with strong anti-analysis and anti-tamper controls, plus addon payloads to complicate detection.
#DarkTortilla #CobaltStrike
#DarkTortilla #CobaltStrike
Keypoints
- DarkTortilla comprises an initial loader and a core processor, with configuration data stored as encrypted bitmap resources.
- Delivery occurs via malspam with archive attachments (ISO, ZIP, IMG, DMG, TAR) and via maldocs embedding the DarkTortilla initial loader.
- The malware uses heavy obfuscation (DeepSea) and anti-analysis techniques, including anti-VM and anti-sandbox checks, plus a WatchDog anti-tamper component.
- Core configuration is decrypted from a hard-coded key and bitmap-derived data, then parsed to drive persistence, startup, and payload injection.
- DarkTortilla uses RunPE-style process injection to execute payloads in memory, targeting various processes and sub-processes.
- Addon packages and a flexible main payload model enable delivery of diverse malware (stealers, RATs) and auxiliary components.
- Possible connections to earlier crypters (RATs Crew) and Gameloader are discussed, but definitive links remain unproven.
MITRE Techniques
- [T1566] Phishing: Attachment β Delivery via malspam with archive attachments such as .iso, .zip, .img, .dmg, and .tar. βCTU researchers observed samples in English, German, Romanian, Spanish, Italian, and Bulgarian.β
- [T1105] Ingress Tool Transfer β Initial loader retrieves its encoded core processor from remote sources (e.g., public paste sites). βThe initial loader then retrieves its encoded core processor.β
- [T1027] Obfuscated/Compressed Files and Information β Initial loader and core code obfuscated; DeepSea code obfuscator used to complicate analysis. βInitial loader samples analyzed by CTU researchers were obfuscated using the DeepSea .NET code obfuscator.β
- [T1140] Decrypt/Decode Files or Information β Core configuration data decrypted with Rijndael AES (ECB) and a hard-coded key. βThe resulting byte array is decrypted using the Rijndael cipher (AES) with ECB mode and ISO10126 padding configured.β
- [T1055] Process Injection β Main payloads injected into target subprocess using RunPe6; memory-resident execution. βThe core processor loads RunPe6 and calls its βRunnβ function to execute the malicious payload within the context of the configured target subprocess.β
- [T1547] Boot or Logon Autostart Execution β Persistence via startup mechanisms (HKCU Run key and Windows startup folder) and installation relocation. βFor Windows startup folder persistence, the core processor uses the WshShortcut COM object to create a .lnk shortcut file in the Windows startup folder.β
- [T1036] Masquerading β Obfuscation of names and identifiers to hinder analysis. βnamespace, class, function, and property names were renamed from their original descriptive values to random characters.β
Indicators of Compromise
- [MD5 hash] context β 59295e810bbdbfd64b8c41316ea13cae, 84872b60072011eab8940f3b49bdb582, and other hashes
- [SHA1 hash] context β 18391a58ee25a5cb8dfbf4d48517b5b0c66c5ae6, 5e03556be992d23088a3c49d24c45b1c21cd275bffb4e536348e8128d50374b6
- [SHA256 hash] context β 981aa83b2d33cca994021197237ac5ee3ad3402f7d25f04f4e76985f4ec8744c, 55d7d9bd9d4a511417033b6c14ce93f962d6a6e6c6414f0cb7e455baee1d3ab7
- [MD5 hash] context β 827258f907c5087f498c413d28e2203e, and 10+ more hashes listed in the indicators
- [SHA1 hash] context β 3da0f44d45a1d6676d52ce691d2f6d754eb3097e, and 2+ additional SHA1s listed
- [URL] context β https://pastebin.pl/view/raw/60b6b03b, used for hosting encoded core processor data
Read more: https://www.secureworks.com/research/darktortilla-malware-analysis