After 7 years, long-term threat DarkTortilla crypter is still evolving

A highly pervasive .NET-based crypter that has flown under the radar since about 2015 and can deliver a wide range of malicious payloads continues to evolve rapidly, with almost 10,000 code samples being uploaded to VirusTotal over a 16-month period.

Dubbed "DarkTortilla," the crypter usually delivers information stealers and remote access trojans (RATs) like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit, according to researchers with Secureworks' Counter Threat Unit (CTU).

It also can deliver add-on packages like other malware, benign decoy documents, and executables. DarkTorilla also comes with an array of controls designed to make it difficult for threat hunters to detect, analyze, and eliminate it.

"Researchers often overlook DarkTortilla and focus on its main payload," the CTU analysts wrote in a report released Wednesday. "However, DarkTortilla is capable of evading detection, is highly configurable, and delivers a wide range of popular and effective malware. Its capabilities and prevalence make it a formidable threat."

A crypter is software designed to encrypt, obfuscate, and manipulate malware to make it more difficult for security programs to detect it. According to cybersecurity vendor Trend Micro, cybercriminals use crypters to create malware that presents itself as a harmless program to get pass security software and get installed in a targeted system. The crypters encrypt a malicious program and reassemble the code.

Normally crypters are sent via attachments in spear-phishing emails and spammed messages. Secureworks, reviewing VirusTotal samples, found "numerous campaigns" delivering DarkTortilla through spam emails are customized to the victim. The malicious payload comes in an attachment with a range of file types, from .zip and .iso to .img and .tar., according to the CTU, researchers, who have seen samples of the email written in English, German, Romanian, Spanish, and Bulgarian.

Rob Pantazopoulos, senior security researcher with the CTU, told The Register that it's unusual for malware like DarkTortilla to be active for so long and not be detected, but that it was helped by being among a number of generic .NET-based crypters, loaders, and droppers in the wild. In addition, many of these malwares are encoded using code obfuscators like ConfuserEX, DeapSea, and Eazfuscator.

"As a result, these crypters are often overlooked by security researchers in favor of their main payload given the high cost and low reward that reverse engineering the crypter would likely result in," Pantazopoulos said.

He suspects that the "next stage .NET dropper" and ".NET downloader" referred in a report last year by MalwareBytes analysts about a downloader they called "Saint Bot" were DarkTortilla's initial and loader and core processor components that were overlooked in the report.

• Microsoft ups bug bounties 30% for cloud lines, pays more for 'scenario-based' exploits
• A life of cybercrime, a caipirinha and a tan: Fraudsters love a Brazilian
• Mozilla finds 18 of 25 popular reproductive health apps leak data
• 1,900 Signal users exposed: Twilio attacker 'explicitly' looked for certain numbers

MalwareBytes researchers also put out a report in 2015 about a new .NET encrypter that he said probably was an earlier instance of DarkTortilla based on some shared characteristics, including its .NET connection, an elaborate configuration, the ability to display a custom message box to the victim and anti-virtual machine and sandbox checks. More research is needed to further confirm any links.

DarkTortilla includes two components – a .NET-based executable as the initial loader and a .NET-base DLL as the core processor – needed to launch the malicious payloads. The initial loader decodes, loads, and executes the core processor, which then extracts, decrypts, and parses its configuration. It can also display the fake message box, checks for VMs and sandboxes, implements persistence, and processes add-on packages. The core processor then injects and executes the configured main payload and implements its anti-tamper controls.

The broad array of malware that it delivers gives CTU researchers a hint of how it's being used by cybercriminals, according to Pantazopoulos.

"Though we have yet to identify how and where this crypter is being sold, we suspect that it is being sold as a service," he said. "As a result, the threat actors and corresponding payloads associated with the crypter will vary wildly."

The number of DarkTortilla code samples loaded into VirusTotal between January 2021 and May 2022 is significantly higher than Pantazopoulos normally sees. In 365-day "retrohunts" in VirusTotal of a popular commodity malware family, CTU tends to see a couple of hundred up to 2,000 or so hits. During those 16 months, there was an average of 93 unique DarkTortilla samples a week.

Code similarities seen in DarkTortilla suggests possible links with other malware, including a crypter last updated in 2016 and run by the RATs Crew threat group, which was active between 2008 and 2012, as well as Gameloader, malware that emerged last year and uses similar malicious spam lures and also leverages .NET resources.

Despite being around for so long, DarkTortilla is still evolving.

"We know that the crypter is being actively developed given variations that we've seen with the initial loader," Pantazopoulos said. "Specifically, from roughly May 2021 to December 2021, DarkTortilla's initial loader had been changed to retrieve its encoded core processor from public paste sites [like Pastebin and TextBin]. Before and after this time period, the encoded core processes had been stored within the resources of DarkTortilla's initial loader executable."

CTU researchers have also seen minor changes made to the core processor DLL, including certain property names associated with parsing of DarkTortilla's configuration, he said.

Security pros need to pay attention to DarkTortilla due to its pervasiveness – as illustrated by the high number of code samples in VirusTotal – and its ability to evade detection, its configurability, and the wide range of popular malware it delivers. Because its primary payload is executed within memory, no evidence of the payload will be found on the filesystem, which Pantazopoulos said is a common technique for evading detection.

"The anti-tamper aspect to DarkTortilla ensures that it remains persistent in an environment," he said. "Through its elaborate configuration, DarkTortilla has versatility that similar malware does not. It can be configured with numerous payloads, supports multiple persistence types, is capable of displaying a customizable message box to the victim, and can migrate its execution multiple times during its initial execution." ®