DarkTortilla

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
DarkTortilla is a highly configurable, .NET-based crypter malware that has possibly been active since at least August 2015. It primarily delivers commodity malware, but Secureworks® Counter Threat Unit™ (CTU) researchers have identified samples delivering targeted payloads such as Cobalt Strike and Metasploit. From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. DarkTortilla is often overlooked by researchers who focus on its main payload. However, it carries additional add-ons including benign decoy documents, legitimate executables, keyloggers, clipboard stealers, cryptocurrency miners, and additional DarkTortilla payloads. These addons are in addition to the main payload that DarkTortilla is tasked with delivering. The WatchDog executable bytes are stored in the DarkTortilla %WatchDogBytes% configuration element, and the filename is stored in %WatchDogName%. Despite the focus on its main payload, DarkTortilla itself is capable of evading detection and delivers a wide range of popular and effective malware. CTU™ analysis of VirusTotal samples revealed numerous campaigns delivering DarkTortilla via malicious spam (malspam). This makes DarkTortilla a significant threat due to its high configurability, evasion capabilities, and the broad spectrum of malware it can deliver.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DarkTortilla Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Secureworks
a year ago
DarkTortilla Malware Analysis