Security News > 2022 > August > After 7 years, long-term threat DarkTortilla crypter is still evolving
Dubbed "DarkTortilla," the crypter usually delivers information stealers and remote access trojans like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit, according to researchers with Secureworks' Counter Threat Unit.
Rob Pantazopoulos, senior security researcher with the CTU, told The Register that it's unusual for malware like DarkTortilla to be active for so long and not be detected, but that it was helped by being among a number of generic.
DarkTortilla includes two components - a.NET-based executable as the initial loader and a.NET-base DLL as the core processor - needed to launch the malicious payloads.
Code similarities seen in DarkTortilla suggests possible links with other malware, including a crypter last updated in 2016 and run by the RATs Crew threat group, which was active between 2008 and 2012, as well as Gameloader, malware that emerged last year and uses similar malicious spam lures and also leverages.
Security pros need to pay attention to DarkTortilla due to its pervasiveness - as illustrated by the high number of code samples in VirusTotal - and its ability to evade detection, its configurability, and the wide range of popular malware it delivers.
"Through its elaborate configuration, DarkTortilla has versatility that similar malware does not. It can be configured with numerous payloads, supports multiple persistence types, is capable of displaying a customizable message box to the victim, and can migrate its execution multiple times during its initial execution." .