DarkTortilla Masquerades Grammarly, Cisco For Phishing Attacks

Phishing via Grammarly

• Phishing sites masquerading as Grammarly sites downloaded a malicious zip file when the user clicks on the “Get Grammarly” Button.
• The zip file contained a malicious cabinet file disguising itself as a Grammarly executable. 
• After execution, this file drops another .NET-based file (EMPLOY~2.EXE) in the temp folder and executes it.
• On execution, this .NET executable downloads an encrypted DLL file from the remote server and decrypts it in the memory using RC4 logic.
• The decoded DLL file is loaded into the memory and performs other malicious activities in the system.

Phishing via CISCO

• Upon execution, the malware kicks off several tasks, uses antivirus detection evasion techniques, and bypasses the UAC. 
• It creates a Task scheduler entry for the malware payload (Battle.net-Setup.exe) as a persistence mechanism. 
• The payload retrieves and loads the new module named “COROTIA.dll” and then executes it from memory. This module is the actual DarkTortilla payload.
• The final payload is responsible for all the malicious activities including checking the virtual environment, creating persistence, displaying a fake message, communicating to its C2 server, receiving commands, and downloading additional payloads.

Establishing persistence

• The malware loads and executes an additional payload to modify the quick launch .LNK file’s target path on a compromised system.
• The malware uses this technique to maintain its persistence and after gaining persistence, it connects to its C2 server to download additional payloads including Agent Tesla, Asyncrat, Nanocore, and RedLine from the remote server.

Conclusion