reports that nearly 10,000 code samples of the DarkTortilla crypter have been uploaded to VirusTotal during the course of 16 months, signifying the continued rapid evolution of the .NET-based crypter.
DarkTortilla, which has been undetected since 2015, has been leveraged for info-stealer
and remote access trojan distribution. Targeted payloads and other add-on packages have also been distributed using DarkTortilla, a report from Secureworks' Counter Threat Unit revealed.
"Researchers often overlook DarkTortilla and focus on its main payload. However, DarkTortilla is capable of evading detection, is highly configurable, and delivers a wide range of popular and effective malware. Its capabilities and prevalence make it a formidable threat," said researchers.
Generic .NET-based crypters, droppers, and loaders encoded with the DeapSea, Eazfuscator, ConfuserEX obfuscators may have enabled DarkTortilla to be concealed until very recently, according to CTU Senior Security Researcher Rob Pantazopoulos.
"As a result, these crypters are often overlooked by security researchers in favor of their main payload given the high cost and low reward that reverse engineering the crypter would likely result in," Pantazopoulos added.