DarkTortilla is a highly configurable, .NET-based crypter malware that has possibly been active since at least August 2015. It primarily delivers commodity malware, but Secureworks® Counter Threat Unit™ (CTU) researchers have identified samples delivering targeted payloads such as Cobalt Strike and Metasploit. From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.
DarkTortilla is often overlooked by researchers who focus on its main payload. However, it carries additional add-ons including benign decoy documents, legitimate executables, keyloggers, clipboard stealers, cryptocurrency miners, and additional DarkTortilla payloads. These addons are in addition to the main payload that DarkTortilla is tasked with delivering. The WatchDog executable bytes are stored in the DarkTortilla %WatchDogBytes% configuration element, and the filename is stored in %WatchDogName%.
Despite the focus on its main payload, DarkTortilla itself is capable of evading detection and delivers a wide range of popular and effective malware. CTU™ analysis of VirusTotal samples revealed numerous campaigns delivering DarkTortilla via malicious spam (malspam). This makes DarkTortilla a significant threat due to its high configurability, evasion capabilities, and the broad spectrum of malware it can deliver.