Go to listing page

DarkTortilla Masquerades Grammarly, Cisco For Phishing Attacks

DarkTortilla Masquerades Grammarly, Cisco For Phishing Attacks
Threat actors observed a campaign using typo-squatted phishing sites for distributing the DarkTortilla malware. Attackers are mimicking Grammarly and Cisco sites to lure the victims. 

Phishing via Grammarly

Cyble researchers found that the malicious campaign exhibits different infection techniques for delivering DarkTortilla malware.
  • Phishing sites masquerading as Grammarly sites downloaded a malicious zip file when the user clicks on the “Get Grammarly” Button.
  • The zip file contained a malicious cabinet file disguising itself as a Grammarly executable. 
  • After execution, this file drops another .NET-based file (EMPLOY~2.EXE) in the temp folder and executes it.
  • On execution, this .NET executable downloads an encrypted DLL file from the remote server and decrypts it in the memory using RC4 logic.
  • The decoded DLL file is loaded into the memory and performs other malicious activities in the system.

Phishing via CISCO

Researchers also found CISCO phishing sites that, when clicked, downloaded a file from the attacker-controlled URL.
  • Upon execution, the malware kicks off several tasks, uses antivirus detection evasion techniques, and bypasses the UAC. 
  • It creates a Task scheduler entry for the malware payload (Battle.net-Setup.exe) as a persistence mechanism. 
  • The payload retrieves and loads the new module named “COROTIA.dll” and then executes it from memory. This module is the actual DarkTortilla payload.
  • The final payload is responsible for all the malicious activities including checking the virtual environment, creating persistence, displaying a fake message, communicating to its C2 server, receiving commands, and downloading additional payloads.

Establishing persistence

  • The malware loads and executes an additional payload to modify the quick launch .LNK file’s target path on a compromised system.
  • The malware uses this technique to maintain its persistence and after gaining persistence, it connects to its C2 server to download additional payloads including Agent Tesla, Asyncrat, Nanocore, and RedLine from the remote server.

Conclusion

DarkTortilla has been active since 2015 and its capabilities and prevalence make it a formidable threat. The malware is capable of pushing a wide range of malicious payloads and evading detection. Security researchers need to pay attention to DarkTortilla due to its pervasiveness. Users are recommended to not open suspicious /untrusted links and email attachments without verifying their authenticity.
Cyware Publisher

Publisher

Cyware