Malware Modifies User’s .LNK files to Establish persistence
During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign where we observed Threat Actors (TAs) dropping DarkTortilla malware. DarkTortilla is a complex .NET-based malware that has been active since 2015. The malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc.
Recently, security researchers published a blog about DarkTortilla and its detailed behavior. According to their analysis, DarkTortilla reaches users via spam email with malicious attachments. But CRIL identified that the Threat Actors (TAs) behind the DarkTortilla had created phishing sites for distributing the malware.
As shown below, we identified two phishing sites masquerading as legitimate Grammarly and Cisco sites. The phishing sites link could reach users via spam email or online ads etc., to infect the users.
The phishing sites download malicious samples, which further leads to DarkTortilla infection. The samples delivered from the two phishing sites exhibit different infection techniques for delivering DarkTortilla malware. Interestingly, the malware modifies the victims .LNK files target path to maintain its persistence. This blog covers infection techniques and payload delivery in detail.
Technical Analysis
DarkTortilla Loader from Grammarly Phishing Site:
The Grammarly phishing site downloads a malicious zip file named “GnammanlyInstaller.zip” when the user clicks on the “Get Grammarly” Button. The zip file further contains a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” disguising itself as a Grammarly executable. The figure below shows the details of the file.
“GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe” this file is a cabinet file (.CAB) which, after execution, drops a .NET-based “EMPLOY~2.EXE” file in the temp folder. The file “EMPLOY~2.EXE” is a 32-bit .NET executable with the sha256 value “92d8f17d9c5ee8169b4995c4b154dc47e401f41affda88da58fbc6b867145878”.
Upon execution, the .NET executable downloads an encrypted file from the remote server “hxxps://atomm.com[.]br/.well-known/acme-challenge/ol/Fjawtld[.]png”, decrypts it using RC4 logic and executes in the memory. The image below shows the code snippet used by the malware to decrypt the file.
The decoded file is a DLL file with the filename “Kreocxoyxpcstfwtjlrj.dll” and sha256 as “c5d91e6209d0db07e0d2f3a88bdb97d7fb9ccc0b906c514b5648f6f1aa104d3e”. The malware further loads the DLL file in the memory, which acts as a final payload and performs other malicious activities in the system.
DarkTortilla Loader from CISCO Phishing Site:
The CISCO phishing site downloads a file from the URL “hxxps://cicsom.com/download/TeamViewerMeeting_Setup_x64.exe” which is a VC++ compiled binary, as shown below.
Upon execution, the malware executes several MOV Instructions that copy the encrypted content on the stack for further malicious activities. The malware uses this technique to evade anti-virus detection.
After moving the content to stack, the malware executes a decryption loop on the encrypted content to get the Portable Executable (PE) file, creates a new registry key “HKEY_CURRENT_USERSOFTWARETeamViewerMeeting_Setup_x64”, and copies the decrypted PE file as a binary value as shown below.
The malware uses the same technique, executes several MOV instructions, and copies a PowerShell command on the stack memory, as shown below.
After this, the malware bypasses the UAC using “COM Moniker Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}” and executes the previously created PowerShell content using Powershell.exe.
The figure below shows the PowerShell command used by the malware.
The PowerShell command loads the binary value from the registry key “HKEY_CURRENT_USERSOFTWARETeamViewerMeeting_Setup_x64” and saves it in the “LOCALAPPDATA” folder as “Battle.net-Setup.exe” and then executes it. The PowerShell command also creates a Task scheduler entry for “Battle.net-Setup.exe” as a persistence mechanism. The below figure shows the Task Scheduler entry created by the malware.
Payload Analysis:
The below figure shows the file information of the malware payload named “Battle.net-Setup.exe” which is a 32-bit GUI-based executable file compiled with a .NET compiler, as shown below.
Upon execution, the “Battle.net-Setup.exe” file retrieves and loads the new module named “COROTIA.dll” and then executes it from memory. The “COROTIA.dll” is the actual DarkTortilla payload responsible for all the malicious activities such as creating persistence, process injection, checking the virtual environment, displaying a fake message, communicating to its C&C server, receiving commands, downloading additional payloads, etc.
The figure below shows the .NET classes of the newly loaded module.
Upon execution of the “COROTIA.dll” module, it converts a larger array of bytes into HEX values containing the strings related to anti-VM check, executable names used for process injection, configuration details, etc., shown below.
AntiVMs
The malware performs the anti-virtual machine check to identify whether the file is executing under a controlled environment such as Vmware, Vbox, etc.
FakeMessage
This class contains the code to display the below fake message to trick the user into believing the application failed to execute due to the unavailability of dependent applications.
- MessageTitle: “.Net Framework Initialization Error”
- MessageBody: “To run this application, you first must install one of the following versions of the .Net Framework:rn.Net Framework, Version = 4.8.0”
Persist
This class is responsible for malware persistence by creating auto-start entries, such as dropping a copy of itself into the Startup folder and creating Run/Winlogon registry entries.
- The malware uses the %InstallationReg% and %InstallationKey% configuration elements to create normal persistence.
- The malware uses %HiddenReg% and %HiddenKey% configuration elements for creating hidden persistence.
Decrypter
The malware uses this class to decrypt additional payload using the CreateDecryptor() method of the .NET class System.Security.Cryptography.RijndaelManaged as shown below.
Install
The malware uses this class to load and execute the decrypted payload using the NewLateBinding.LateGet() method by passing the payload file as an argument, as shown in the figure below.
Persistence using LNK files:
- In our testing, the malware loads and executes an additional payload using the decrypter mentioned above and installing .NET classes. The loaded file is a VC++ compiled file that is responsible for modifying the Victims quick launch .LNK files target path. The decrypted VC++ file performs the following operations.
- Upon execution, it creates a mutex named “NUkiklN<yjUKNj” and makes a new directory named “tmp” under the %Userprofile% location.
- The malware now creates a copy of “Battle.net-Setup.exe” into a newly created “tmp” folder named “system_update.exe”
- Then, it searches for .LNK files in the below location using API functions such as FindFirstFileExW() and FindNextFileExW().
- “%Userprofile%AppDataRoamingMicrosoftInternet ExplorerQuick Launch
- After that, malware retrieves the target path of each .LNK file identified, gets the icon of the application, and stores it in the “tmp” location using the APIs such as CreateFileA,getIconInfo(),GetObjectA(), and WriteFileA().
- The malware now creates .bat files containing commands to execute the “system_update.exe” file and the actual application, as shown below.
- Next, it modifies the target path of .LNK files and changes it to execute the respective “.bat” files created previously in the “tmp” location. The malware creates persistence using this technique and executes malicious files when the user clicks on the .LNK files present in the Quicklaunch location.
After gaining persistence, the malware connects to its C&C server and waits for commands to download additional payloads from the remote server. This DarkTortilla is known to download Remote Access Trojans (RATs) such as Agentesla, Nanocore, Asyncrat, etc.
Conclusion
The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild. In this campaign, the TAs use typosquatted phishing sites to deliver the DarkTortilla malware. The files downloaded from the phishing sites exhibit different infection techniques, indicating that the TAs should have a sophisticated platform capable of customizing and compiling the binary using various options.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Malware Attacks
- Do not open suspicious links in emails.
- Do not download the software from untrusted sources.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Malware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Malware
- Additional malware can be dropped into the system.
- Infected systems could attack other systems.
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Monetary loss.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Initial Access | T1566 | Phishing |
Execution | T1204 | User Execution |
Persistence | T1547.001 | Registry Run Keys / Start-up Folder |
Defense Evasion | T1140 T1562 |
Deobfuscate/Decode Files or Information Impair Defenses |
Command and Control | T1071 | Application Layer Protocol |
IoCs
Indicators | Indicator Type | Description |
Gnammarly[.]com | Domain | Fake Grammarly website |
Cicsom[.]com | Domain | Fake Cisco Website |
f37297ca392c822e40f1409e707f72e5 33c6d13f7038a1417f06d50c06019cd86c2f6325 11e99d792c523ea387490056556134c4ba2982a3b5c032be9328eaef3dd16cc6 |
MD5 SHA1 SHA256 |
GnammanlyInstaller.zip |
dda80ef034041756b99ae92e4c10378f 584abac8c2477518c9503b5de50b0c885fdca95c 40b16a5966c15cb218c30be2f256caacf76f1ab9825788539f6d1b633d3bf883 |
MD5 SHA1 SHA256 |
GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe |
04a332bcd6b64627f1e9cf1415293bbb 0b9fbce7e2db72091974c90ad95b5c0ac82c15ce 92d8f17d9c5ee8169b4995c4b154dc47e401f41affda88da58fbc6b867145878 |
MD5 SHA1 SHA256 |
EMPLOY~2.EXE |
4b0565985be9f184cd524f87367a8e21 7d93b26cc3dc87a4ba9a74fb8596c602b4538adc 6f36b9dd729efb9349fb3f3ae0c6dc93a1361297932a72186623faadebecf4cc |
MD5 SHA1 SHA256 |
Fjawtld.png |
hxxps://atomm.com[.]br/.well-known/acme-challenge/ol/Fjawtld[.]png | URL | Encrypted Payload |
d8501f1cc170a1425d39ec9884f5e048 031af793c722f56f86677a46aae83c3a164b2899 c5d91e6209d0db07e0d2f3a88bdb97d7fb9ccc0b906c514b5648f6f1aa104d3e |
MD5 SHA1 SHA256 |
Kreocxoyxpcstfwtjlrj.dll (Dark Tortilla payload) |
2fd30bb80e88cf859fcc2ca6750f2c2f df6ef64d893e6e8abb275ffd986e3f18fbc0fedd 76956df7cae35333a22e1a5f47d1c7f9d7bf2a98bd9dab7727092f2224cdd229 |
MD5 SHA1 SHA256 |
TeamViewerMeeting_Setup_x64.exe |
77bd3b7ac9b58bde238654cdce862df8 ffb55814b6ddac1a9db66f818dc290997a0e2d72 0b1c7cf8e467f63714f15686070d4ebf755b0dea87300d4b917cfa2f03e95bcc |
MD5 SHA1 SHA256 |
Battle.net-Setup.exe |
79759748574e4537ef921ef939a82678 c6b20fe67c0d3fd403ebf20aa7d57d235ce0215e fd3654a5cf8818588e413ed932c237e5ddd035d921ed67646cb009e9f480fd07 |
MD5 SHA1 SHA256 |
COROTIA.dll (Dark Tortilla payload) |
b750feb320debcc37afb06e489902831 43d9a6e798178f1e2bfcc19d9f0995c95c9ee4f1 f448f897d7c33f3c82a8e976ac5466537f318d995fffb7582efef3834c50d1fc |
MD5 SHA1 SHA256 |
VC++ file responsible for LNK files modification |
Related
Source: https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites/