September 25, 2023

Researchers has warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and RATs.

Dubbed as DarkTortilla, a .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victim’s system. It’s also capable of tricking both users and sandboxes into believing it is benign.

DarkTortilla in the past delivered a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.


Most recently, it’s been used mainly to deliver malware such as the RATs AgentTesla, NanoCore, and AsyncRat, as well as the information-stealer RedLine.

DarkTortilla exists since October 2021 when we detected a threat actor leveraging a Microsoft Exchange RCE vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments. Nearly 1000 unique samples have been found since started tracked by resea

The various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory.

The DarkTortilla’s initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.

The analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that is troublesome for defenders. One benefit in doing this from the attacker’s perspective is that it allows DarkTortilla to hide on an infected system.

Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially.

Once defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign.


DarkTortilla’s ability to deliver numerous additional payloads in the form of ‘addons’ to be very interesting, In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.

This research was conducted and documented by researchers from Secureworks

Leave a Reply

%d bloggers like this: