Cyble Research reported finding a campaign using DarkTortilla malware on phishing sites. (Coast Guard)

Researchers reported on a campaign where they observed threat actors dropping DarkTortilla malware on phishing sites masquerading as legitimate Grammarly and Cisco sites.  

In a Dec. 16 blog post, Cyble Research and Intelligence Labs (CRIL) described DarkTortilla as a complex, .Net-based malware that has been active since 2015. The researchers said that malware has been best known to drop malware stealers and remote access trojans (RATs) such as AgentTesla, AsyncRAT, and NanoCore.

During the summer, security researchers at Secureworks published a blog about DarkTortilla and detailed its behavior. While the Secureworks researchers said DarkTortilla uses spam email with malicious attachments to reach users, it was CRIL researchers who found that the bad actors around DarkTortilla created phishing sites for distributing the malware.

The group behind this attack has been repurposing existing malware (think-cheap-to-do) and coupling an attack style known as a watering hole attack, said Andrew Barratt, vice president at Coalfire. 

Barratt said the “watering holes” are all intended to look like common websites using a typo-squat — where a misspell of a common domain name is used. This potentially lets them attract victims who have limited defenses, which then in turn means that a repurposed and quite an old piece of malware may still be effective against them. 

“When you look at some of the names the malware is masquerading as, one is the blizzard installer — a common installer for gamers,” Barratt said. “The group could be trying to use this to target gamers who have a habit of switching off their antivirus to increase game performance. The capabilities are highly versatile, so I’d bet the threat actor behind this is looking to build up a portfolio of initial access — to then sell on the wholesale market.”