This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FirstWatch Threat Spotlight: DarkTortilla

jeethmathai
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2022-11-30 06:31 AM

Executive Summary

DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging. From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.

 

Delivery

Based on the findings, the samples revealed numerous campaigns delivering DarkTortilla via malicious spam (malspam). The emails typically use a logistics lure and include the malicious payload in an archive attachment with file types such as .iso, .zip, .img, .dmg, and .tar. The archive file contains a single executable with the same filename but the .exe extension. This executable is a DarkTortilla initial loader sample.

Researchers also identified malicious documents (maldocs) delivering DarkTortilla. Most of these maldocs embed the DarkTortilla initial loader executable as a Packager Shell Object. Figure 1 shows a sample that prompts the victim to double-click the embedded Packager Shell Object, which executes the payload., which is a DarkTortilla initial loader sample. Other maldocs use different approaches, such as leveraging embedded macros to automatically execute the Packager Shell Object when a victim opens the document and enables macros.

 

jeethmathai_0-1669789169243.jpeg

Figure 1: Maldoc sample delivering DarkTortilla

 

Execution

DarkTortilla consists of two components that rely on each other to successfully detonate payloads: a .NET-based executable (initial loader) and a .NET-based DLL (core processor). The typical high-level execution flow for a DarkTortilla payload starts with execution of the initial loader. The initial loader then retrieves its encoded core processor. While the encoded core processor is typically embedded within the .NET resources of the initial loader. The initial loaders can retrieve their core processor from public paste sites such as pastebin (. pl), textbin (.net), and paste (.ee).

The initial loader decodes, loads, and executes the core processor. When executed, the core processor extracts, decrypts, and parses its configuration. The encrypted configuration is stored within the .NET resources of the initial loader as bitmap images. Depending on DarkTortilla's configuration, the core processor performs the following actions:

  • Displays a fake message box
  • Performs anti-virtual machine checks
  • Performs anti-sandbox checks
  • Implements persistence
  • Migrates execution to the Windows %TEMP% directory by using the “Melt” configuration element
  • Processes addon packages
  • Migrates execution to its install directory

 

The core processor then injects and executes its configured main payload within the context of the configured subprocess. Finally, if configured, the core processor implements anti-tamper controls to prevent interference with execution of the initial loader, core processor, injected subprocess, and WatchDog executable.

 

jeethmathai_1-1669789169248.jpeg

Figure 2: High-level execution flow for DarkTortilla infection

 

The initial loader’s execution flow typically starts by checking for internet connectivity by issuing HTTP GET requests. In samples that implement this check, the initial loader attempts to retrieve content from google.com, bing.com, or both. If the check fails, the initial loader retries the request(s) until all are successful.

 

 

Configuration

DarkTortilla parses the decrypted configuration data into a structure so that its elements can be easily referenced. The table lists the potential configuration elements contained within DarkTortilla’s decrypted configuration.

 

Key

Type

Description

%Installation%

bool

Install DarkTortilla and implement persistence

%InstallationReg%

string

Registry key used for persistence

%InstallationKey%

string

Registry value used for persistence

%InstallationDirectory%

int

Root install directory

%InstallationFolder%

string

Subfolder name within the root install directory

%InstallationFileName%

string

Filename for the initial loader executable within the root subfolder

%StartupFolder%

bool

Enable Startup folder persistence

%Hidden%

bool

Enable “Hidden” registry persistence

%HiddenReg%

string

“Hidden” registry key used for persistence

%HiddenKey%

string

“Hidden” registry value used for persistence

%Message%

bool

Display fake message box

%VM%

bool

Perform anti-virtual machine checks

%SB%

bool

Perform anti-sandbox checks

%InjectionPersist%

bool

Enable anti-tamper control for running processes

%StartupPersist%

bool

Enable anti-tamper control for startup persistence

%Melt%

bool

Migrate initial loader execution to the Windows %TEMP% directory

%MeltName%

string

Filename for the initial loader executable within the Windows %TEMP% directory

%WatchDogName%

string

Filename for the anti-tamper WatchDog executable

%Compress%

bool

Indicates if payloads are zlib-compressed

%Delay%

int

Number of seconds to delay execution within the core processor

%HostIndex%

int

ID of the target subprocess name to use for main/addon payload injection

%MainFile%

byte[]

Main payload byte array

%FilesNum%

int

Number of addon packages to process

F.{0}.D

byte[]

Addon package (data): Payload byte array

F.{0}.F

string

Addon package (folder): Target install subfolder

F.{0}.P

int

Addon package (path): Target install folder (special folder ID)

F.{0}.N

string

Addon package (name): Filename

Table: DarkTortilla configuration

 

“Melt” execution migration

If the %Melt% configuration element is set to true, the core processor moves the initial loader executable to the Window’s %TEMP% directory. It uses the %MeltName% configuration element value as the executable filename (e.g., java.exe, PDF.exe, cookies.exe). The core processor runs the new executable and then terminates the original initial loader executable. However, the %TEMP% directory may not be the final destination for the initial loader. The executable could migrate again if the %Installation% configuration element is set to true.

 

jeethmathai_2-1669789169254.png

Figure 3: Executable migrated to the TEMP directory

 

Persistence

DarkTortilla features standard and hidden techniques for implementing persistence via the Windows registry. Both options implement persistence in the HKEY_CURRENT_USER (HKCU) hive as a hard-coded value in the core processor code. This persistence results in the installed DarkTortilla initial loader executable being run every time the user logs in.

  • For standard registry persistence, the core processor uses the %InstallationReg% and %InstallationKey% values to set the target key/value combination. In every sample analyzed where the standard persistence was configured, the %InstallationReg% value was "Software\Microsoft\Windows\CurrentVersion\Run". The value stored in %InstallationKey% varied across samples (e.g., "Updates", "svchost", "Runtime Broker").
  • The core processor uses the %HiddenReg% and %HiddenKey% values to set the target key/value combination. In every sample analyzed, the %InstallationReg% value was "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" and the value stored in %HiddenKey% was "Shell". To create these registry values, the core processor executes the following command via Process.Start():
    cmd.exe /c REG ADD "HKCU\<configured_reg_key>" /f /v "<configured_reg_val>" /t REG_SZ /d "<installed_darktortilla_exe_path>"

 

DarkTortilla is further noteworthy for its use of anti-tamper controls that ensure both the processes used to execute the components in memory are immediately rerun upon termination. Specifically, the persistence of the initial loader is achieved by means of a second executable referred to as a WatchDog that's designed to keep tabs on the designated process and rerun it should it be killed.

 

Anti-analysis controls

The %VM% configuration element enables DarkTortilla's anti-virtual machine (anti-VM) controls. If set to true, the core processor obtains information about the system by querying the following Windows Management Instrumentation (WMI) objects:

  • Win32_ComputerSystem
  • Win32_BIOS
  • Win32_MotherboardDevice
  • Win32_PnPEntity
  • Win32_DiskDrive

The core processor also retrieves information about the system's running processes and services. It then inspects this data for strings associated with Hyper-V, QEMU, Virtual PC, VirtualBox, and VMware. If any of the case-insensitive data matches the anti-VM detections, the core processor terminates the initial loader process.

 

Addon package processing

DarkTortilla can be configured with zero or more payloads known as addon packages. These addons are in addition to the main payload that DarkTortilla is tasked with delivering. Observed addons include benign decoy documents, legitimate executables, keyloggers, clipboard stealers, cryptocurrency miners, and additional DarkTortilla payloads. Each addon package possesses a set of configuration elements composed of a static "F" character, an integer "{0}" that represents the index value indicating the position of the addon in the package array, and a character representing a particular property associated with the package.

If the payload is saved to disk, the location is specified by the addon path (F.{0}.P), subfolder (F.{0}.F), and filename (F.{0}.N) configuration elements. The F.{0}.P integer value represents a CSIDL value associated with a special folder on the system. For example, the value 2 corresponds to the Windows Start Menu/Programs folder.

 

Network Communications

The initial loaders that retrieve their core processor from public paste sites such as pastebin (.pl), textbin (.net), postimg (.cc) and paste (.ee). Some samples were found to download additional payloads from discord (cdn.discordapp.com)

 

jeethmathai_3-1669789169262.png

Figure 4: Network communications to retrieve the core processor

 

 

MITRE ATT&CK

Privilege Escalation - TA0004

  • Process Injection - T1055:
    • Injects a PE file into a foreign process
    • Writes to foreign memory regions

 

Defense Evasion - TA0005

  • Software Packing - T1027.002:
    • .NET source code contains potential unpacker
  • Virtualization/Sandbox Evasion - T1497:
    • Contains long sleeps (>= 3 min)
    • May sleep (evasive loops) to hinder dynamic analysis

 

Discovery - TA0007

  • Query Registry - T1012:
    • Monitors certain registry keys / values for changes (often done to protect autostart functionality)
  • System Information Discovery - T1082:
    • Queries the volume information (name, serial number, etc) of a device
    • Queries the cryptographic machine GUID

 

Command and Control - TA0011

  • Application Layer Protocol - T1071:
    • C2 URLs / IPs found in malware configuration

 

NetWitness Detections

To detect DarkTortilla activity, deploy the following endpoint apprules:

  • DarkTortilla Renames Initial Loader
  • Modifies Winlogon DLL for Persistence
  • Autorun Unsigned in AppDataLocal Directory

 

Conclusion and Solution

Although DarkTortilla is a crypter, it is capable of evading detection, is highly configurable, and delivers a wide range of popular and effective malware. Its capabilities and prevalence make it a formidable threat. Understanding the malware, its usual delivery methods, and the TTPs used can be very beneficial for a SOC analyst, incident responder or threat hunter. NetWitness can aid in detecting the presence of DarkTortilla within your environment —so you can respond before this omnipotent malware causes major loss in the form of data, intellectual property, exfiltration, and/or financials.

 

References:

https://www.secureworks.com/research/darktortilla-malware-analysis

VirusTotal - File - 0a5dc3b6669cf31e8536c59fe1315918eb4ecfd87998445e2eeb8fed64bd2f2c

Rainbows, Steganography and Malware in a new .NET cryptor | Malwarebytes Labs

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.