Secureworks researchers spotted a .NET crypter, named DarkTortilla, that has allegedly been active since at least August 2015. It usually delivers RATs and infostealers. This sophisticated, evasive crypter can, furthermore, deliver targeted payloads, such as Cobalt Strike and Metasploit.

Diving into details

  • DarkTortilla comes with a wide range of malicious payloads that continue to rapidly evolve, as almost 10,000 samples were uploaded to VirusTotal between January 2021 and May 2022.
  • It delivers AgentTesla, RedLine, NanoCore, and AsyncRAT.
  • The malware possesses strong anti-analysis and anti-tamper features and is usually spread via malicious spam.

Why this matters

DarkTortilla has emerged as a dangerous threat due to its high degree of configurability and its anti-tampering and anti-analysis capabilities. Therefore, making analysis pretty challenging. Furthermore, it uses open-source tools, such as ConfuserEX and DeepSea, for code obfuscation and the main payload is executed completely in memory.

Potential connections

DarkTortilla was found to share similarities with other malware.
  • Its payload compression, payload execution, and junk code inclusion through RunPe6 are features used by the RATs Crew crypter that was last updated in 2016. This may signify that DarkTortilla is an evolution of that crypter. 
  • Moreover, DarkTortilla and Gameloader use the same archive files and malspam lures.

Nevertheless, there is not sufficient evidence to link DarkTortilla to other malware families or threat actors.

The bottom line

Despite being around for such a long time, DarkTortilla is still evolving. Due to its intricate configuration, it is versatile, unlike other similar malware. Hence, it should not be overlooked anymore as its advanced functionalities make DarkTortilla a formidable threat.
Cyware Publisher