![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
Cyble Research and Intelligence Labs CRIL detected threat actors (TAs), who distributed the malware DarkTortilla. DarkTortilla, a complex,.NET-based malware has been in operation since 2015.
many stealers and Remote Access Trojans are (RATs), including AgentTesla. AsyncRAT. NanoCore. The malware can also drop these files.
DarkTortilla, and its Specific Actions
DarkTortilla was described by security researchers as spreading via spam email with malicious attachments. CRIL found that DarkTortilla’s Threat Actors had created phishing sites to distribute the malware.
We identified two as genuine Grammarly or Cisco websites. To infect users, the phishing site link could be reached via spam mail or online ads.
DarkTortilla infection is also made easier by malicious malware downloaded from phishing websites. DarkTortilla is spread via several methods, including the samples downloaded from the phishing sites.
Based on the technical analysis, the Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button. The zip file further contains a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” disguising itself as a Grammarly executable.
The.NET executable then downloads encrypted files from remote servers, decrypts them using , and then executes the file in memory.
DLL files are loaded by malware into the memory. They act as malware’s last payload, and perform additional malicious operations on the system.
Researchers claim that malware alters victims. LNK files target path in order to keep its persistence.
“The CISCO phishing site downloads a file from the URL “hxxps://cicsom.com/download/TeamViewerMeeting_Setup_x64.exe” which is a VC++ compiled binary”, CRIL
The malware executes a series of MOV Instructions to copy encrypted contents from the stack and then use them in further malicious activities. The malware uses this method to evade anti-virus detection.
This malware runs a decryption loop to decrypt the encrypted content in order to obtain the Portable Executable file (PE). It creates a registry key and copies the PE file as binary value.
Malware uses the PowerShell mechanism to create a Task Scheduler entry for persistence. The malware also performs an anti-virtual device check to verify that the file is not running in a managed environment such as Vbox or VMware.
DarkTortilla malware is delivered by TAs using typosquatted phishing websites. Different infection methods are evident in the files that were downloaded from phishing websites. This means that the TAs need a platform with the ability to customize and compile the binary using different options.” CRIL
Recommendations
- Don’t open emails that contain suspicious links.
- Avoid downloading software from unknown sources.
- You can use a trusted anti-virus software and Internet security program on all your devices (including mobile and laptop)
- Avoid opening emails and attachments that aren’t trusted.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.
