Cyble – Sophisticated DarkTortilla Malware Spreading Via Phishing Sites

Malware Modifies User’s .LNK files to Establish persistence

During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign where we observed Threat Actors (TAs) dropping DarkTortilla malware. DarkTortilla is a complex .NET-based malware that has been active since 2015. The malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc.

Recently, security researchers published a blog about DarkTortilla and its detailed behavior. According to their analysis, DarkTortilla reaches users via spam email with malicious attachments. But CRIL identified that the Threat Actors (TAs) behind the DarkTortilla had created phishing sites for distributing the malware.

As shown below, we identified two phishing sites masquerading as legitimate Grammarly and Cisco sites. The phishing sites link could reach users via spam email or online ads etc., to infect the users.

Figure 1 Grammarly Phishing Site
Figure 1 – Grammarly Phishing Site
Figure 2 CISCO Phishing Site
Figure 2 – CISCO Phishing Site

The phishing sites download malicious samples, which further leads to DarkTortilla infection. The samples delivered from the two phishing sites exhibit different infection techniques for delivering DarkTortilla malware. Interestingly, the malware modifies the victims .LNK files target path to maintain its persistence. This blog covers infection techniques and payload delivery in detail.

Technical Analysis

DarkTortilla Loader from Grammarly Phishing Site:

The Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button. The zip file further contains a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” disguising itself as a Grammarly executable. The figure below shows the details of the file.

Figure 3 Details of Malicious Loader Masquerading as Grammarly Program
Figure 3 – Details of Malicious Loader Masquerading as Grammarly Program

“GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” this file is a cabinet file (.CAB) which, after execution, drops a .NET-based “EMPLOY~2.EXE” file in the temp folder. The file “EMPLOY~2.EXE” is a 32-bit .NET executable with the sha256 value “92d8f17d9c5ee8169b4995c4b154dc47e401f41affda88da58fbc6b867145878”.

Upon execution, the .NET executable downloads an encrypted file from the remote server “hxxps://atomm.com[.]br/.well-known/acme-challenge/ol/Fjawtld[.]png”, decrypts it using RC4 logic and executes in the memory. The image below shows the code snippet used by the malware to decrypt the file.

Figure 4 Decrypted Payload in the Memory
Figure 4 – Decrypted Payload in the Memory

The decoded file is a DLL file with the filename “Kreocxoyxpcstfwtjlrj.dll” and sha256 as “c5d91e6209d0db07e0d2f3a88bdb97d7fb9ccc0b906c514b5648f6f1aa104d3e”. The malware further loads the DLL file in the memory, which acts as a final payload and performs other malicious activities in the system.

DarkTortilla Loader from CISCO Phishing Site:

The CISCO phishing site downloads a file from the URL  “hxxps://cicsom.com/download/TeamViewerMeeting_Setup_x64.exe” which is a VC++ compiled binary, as shown below.

Figure 5 File Details of the Fake Cisco Related Malware
Figure 5 – File Details of the Fake Cisco-Related Malware

Upon execution, the malware executes several MOV Instructions that copy the encrypted content on the stack for further malicious activities. The malware uses this technique to evade anti-virus detection.

Figure 6 MOV Instruction to Copy Encrypted Code
Figure 6 – MOV Instruction to Copy Encrypted Code

After moving the content to stack, the malware executes a decryption loop on the encrypted content to get the Portable Executable (PE) file, creates a new registry key “HKEY_CURRENT_USERSOFTWARETeamViewerMeeting_Setup_x64”, and copies the decrypted PE file as a binary value as shown below.

Figure 7 Contents of Decrypted PE File
Figure 7 – Contents of Decrypted PE File

The malware uses the same technique, executes several MOV instructions, and copies a PowerShell command on the stack memory, as shown below.

Figure 8 Copied PowerShell Command
Figure 8 – Copied PowerShell Command

After this, the malware bypasses the UAC using “COM Moniker Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}” and executes the previously created PowerShell content using Powershell.exe.

The figure below shows the PowerShell command used by the malware.  

Figure 9 Execution of PowerShell Command
Figure 9 – Execution of PowerShell Command

 The PowerShell command loads the binary value from the registry key  “HKEY_CURRENT_USERSOFTWARETeamViewerMeeting_Setup_x64” and saves it in the “LOCALAPPDATA” folder as “Battle.net-Setup.exe” and then executes it. The PowerShell command also creates a Task scheduler entry for “Battle.net-Setup.exe” as a persistence mechanism. The below figure shows the Task Scheduler entry created by the malware.

Figure 10 Tasks Scheduler Entry Created by the Malware
Figure 10 – Tasks Scheduler Entry Created by the Malware

Payload Analysis:

The below figure shows the file information of the malware payload named “Battle.net-Setup.exe” which is a 32-bit GUI-based executable file compiled with a .NET compiler, as shown below.

Figure 11 – Payload file details
Figure 11 – Payload file details

Upon execution, the “Battle.net-Setup.exe” file retrieves and loads the new module named “COROTIA.dll” and then executes it from memory. The “COROTIA.dll” is the actual DarkTortilla payload responsible for all the malicious activities such as creating persistence, process injection, checking the virtual environment, displaying a fake message, communicating to its C&C server, receiving commands, downloading additional payloads, etc.

The figure below shows the .NET classes of the newly loaded module.

Figure 12 COROTIA module
Figure 12 – COROTIA module

Upon execution of the “COROTIA.dll” module, it converts a larger array of bytes into HEX values containing the strings related to anti-VM check, executable names used for process injection, configuration details, etc., shown below.

Figure 13 Converted strings
Figure 13 – Converted strings

AntiVMs

The malware performs the anti-virtual machine check to identify whether the file is executing under a controlled environment such as Vmware, Vbox, etc.

FakeMessage

This class contains the code to display the below fake message to trick the user into believing the application failed to execute due to the unavailability of dependent applications.

  • MessageTitle: “.Net Framework Initialization Error”
  • MessageBody: “To run this application, you first must install one of the following versions of the .Net Framework:rn.Net Framework, Version = 4.8.0”

Persist

This class is responsible for malware persistence by creating auto-start entries, such as dropping a copy of itself into the Startup folder and creating Run/Winlogon registry entries.

  • The malware uses the %InstallationReg% and %InstallationKey%  configuration elements to create normal persistence.
  • The malware uses %HiddenReg% and %HiddenKey%  configuration elements for creating hidden persistence.

Decrypter

The malware uses this class to decrypt additional payload using the CreateDecryptor() method of the .NET class System.Security.Cryptography.RijndaelManaged as shown below.  

Figure 14 Code snippet to decrypt the payload
Figure 14 – Code snippet to decrypt the payload

Install

The malware uses this class to load and execute the decrypted payload using the NewLateBinding.LateGet() method by passing the payload file as an argument, as shown in the figure below.

Figure 15 Actual payload execution
Figure 15 – Actual payload execution

Persistence using LNK files:

  • In our testing, the malware loads and executes an additional payload using the decrypter mentioned above and installing .NET classes. The loaded file is a VC++ compiled file that is responsible for modifying the Victims quick launch  .LNK files target path. The decrypted VC++ file performs the following operations.
  • Upon execution, it creates a mutex named “NUkiklN<yjUKNj” and makes a new directory named “tmp” under the %Userprofile% location.
  • The malware now creates a copy of “Battle.net-Setup.exe”  into a newly created “tmp” folder named “system_update.exe”
  • Then, it searches for .LNK files in the below location using API functions such as FindFirstFileExW() and FindNextFileExW().
    • “%Userprofile%AppDataRoamingMicrosoftInternet ExplorerQuick Launch
  • After that, malware retrieves the target path of each .LNK file identified, gets the icon of the application, and stores it in the “tmp” location using the APIs such as CreateFileA,getIconInfo(),GetObjectA(), and WriteFileA().
  • The malware now creates .bat files containing commands to execute the “system_update.exe” file and the actual application, as shown below.
Figure 16 Dropped bat ico files by malware
Figure 16 – Dropped bat & ico files by malware
  • Next, it modifies the target path of .LNK files and changes it to execute the respective “.bat” files created previously in the “tmp” location. The malware creates persistence using this technique and executes malicious files when the user clicks on the .LNK files present in the Quicklaunch location.
Figure 17 – Modified target path of Chrome Quick Launch file
Figure 17 – Modified target path of Chrome Quick Launch file

After gaining persistence, the malware connects to its C&C server and waits for commands to download additional payloads from the remote server. This DarkTortilla is known to download Remote Access Trojans (RATs) such as Agentesla, Nanocore,  Asyncrat, etc.

Conclusion

The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild. In this campaign, the TAs use typosquatted phishing sites to deliver the DarkTortilla malware. The files downloaded from the phishing sites exhibit different infection techniques, indicating that the TAs should have a sophisticated platform capable of customizing and compiling the binary using various options.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures Needed to Prevent Malware Attacks

  • Do not open suspicious links in emails.
  • Do not download the software from untrusted sources.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Users Should Take the Following Steps After the Malware Attack

  • Detach infected devices on the same network. 
  • Disconnect external storage devices if connected. 
  • Inspect system logs for suspicious events. 

Impact And Cruciality of Malware

  • Additional malware can be dropped into the system.
  • Infected systems could attack other systems.
  • Loss of valuable data. 
  • Loss of the organization’s reputation and integrity. 
  • Loss of the organization’s sensitive business information. 
  • Disruption in organization operation. 
  • Monetary loss. 

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Initial Access T1566 Phishing
Execution T1204 User Execution
Persistence T1547.001 Registry Run Keys / Start-up Folder
Defense Evasion T1140
T1562
Deobfuscate/Decode Files or Information
Impair Defenses
Command and Control T1071 Application Layer Protocol

IoCs

Indicators Indicator Type Description
Gnammarly[.]com Domain Fake Grammarly website
Cicsom[.]com Domain Fake Cisco Website
f37297ca392c822e40f1409e707f72e5
33c6d13f7038a1417f06d50c06019cd86c2f6325 11e99d792c523ea387490056556134c4ba2982a3b5c032be9328eaef3dd16cc6
MD5
SHA1 SHA256
GnammanlyInstaller.zip
dda80ef034041756b99ae92e4c10378f
584abac8c2477518c9503b5de50b0c885fdca95c 40b16a5966c15cb218c30be2f256caacf76f1ab9825788539f6d1b633d3bf883
MD5
SHA1 SHA256
GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe
04a332bcd6b64627f1e9cf1415293bbb
0b9fbce7e2db72091974c90ad95b5c0ac82c15ce 92d8f17d9c5ee8169b4995c4b154dc47e401f41affda88da58fbc6b867145878
MD5
SHA1 SHA256
EMPLOY~2.EXE
4b0565985be9f184cd524f87367a8e21
7d93b26cc3dc87a4ba9a74fb8596c602b4538adc 6f36b9dd729efb9349fb3f3ae0c6dc93a1361297932a72186623faadebecf4cc
MD5
SHA1 SHA256
Fjawtld.png
hxxps://atomm.com[.]br/.well-known/acme-challenge/ol/Fjawtld[.]png URL Encrypted Payload
d8501f1cc170a1425d39ec9884f5e048
031af793c722f56f86677a46aae83c3a164b2899 c5d91e6209d0db07e0d2f3a88bdb97d7fb9ccc0b906c514b5648f6f1aa104d3e
MD5
SHA1 SHA256
Kreocxoyxpcstfwtjlrj.dll (Dark Tortilla payload)
2fd30bb80e88cf859fcc2ca6750f2c2f
df6ef64d893e6e8abb275ffd986e3f18fbc0fedd 76956df7cae35333a22e1a5f47d1c7f9d7bf2a98bd9dab7727092f2224cdd229
MD5
SHA1 SHA256
TeamViewerMeeting_Setup_x64.exe
77bd3b7ac9b58bde238654cdce862df8
ffb55814b6ddac1a9db66f818dc290997a0e2d72
0b1c7cf8e467f63714f15686070d4ebf755b0dea87300d4b917cfa2f03e95bcc
MD5
SHA1 SHA256
Battle.net-Setup.exe
79759748574e4537ef921ef939a82678
c6b20fe67c0d3fd403ebf20aa7d57d235ce0215e
fd3654a5cf8818588e413ed932c237e5ddd035d921ed67646cb009e9f480fd07
MD5
SHA1 SHA256
COROTIA.dll (Dark Tortilla payload)
b750feb320debcc37afb06e489902831
43d9a6e798178f1e2bfcc19d9f0995c95c9ee4f1
f448f897d7c33f3c82a8e976ac5466537f318d995fffb7582efef3834c50d1fc
MD5
SHA1 SHA256
VC++ file responsible for LNK files modification

Source: https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites/