| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
DarkTortilla has used HTTP and HTTPS for C2. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Run registry key and by creating a .lnk shortcut file in the Windows startup folder. |
| enterprise |
T1547.004 |
Winlogon Helper DLL |
DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. |
| enterprise |
T1115 |
Clipboard Data |
DarkTortilla can download a clipboard information stealer module. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
DarkTortilla can use cmd.exe to add registry keys for persistence. |
| enterprise |
T1622 |
Debugger Evasion |
DarkTortilla can detect debuggers by using functions such as DebuggerIsAttached and DebuggerIsLogging. DarkTortilla can also detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher. |
| enterprise |
T1564 |
Hide Artifacts |
DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.012 |
COR_PROFILER |
DarkTortilla can detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active. |
| enterprise |
T1105 |
Ingress Tool Transfer |
DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
DarkTortilla can download a keylogging module. |
| enterprise |
T1559 |
Inter-Process Communication |
- |
| enterprise |
T1559.001 |
Component Object Model |
DarkTortilla has used the WshShortcut COM object to create a .lnk shortcut file in the Windows startup folder. |
| enterprise |
T1036 |
Masquerading |
DarkTortilla‘s payload has been renamed PowerShellInfo.exe. |
| enterprise |
T1112 |
Modify Registry |
DarkTortilla has modified registry keys for persistence. |
| enterprise |
T1106 |
Native API |
DarkTortilla can use a variety of API calls for persistence and defense evasion. |
| enterprise |
T1027 |
Obfuscated Files or Information |
DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
DarkTortilla has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents. |
| enterprise |
T1057 |
Process Discovery |
DarkTortilla can enumerate a list of running processes on a compromised system. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
DarkTortilla can use a .NET-based DLL named RunPe6 for process injection. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
DarkTortilla can check for the Kaspersky Anti-Virus suite. |
| enterprise |
T1082 |
System Information Discovery |
DarkTortilla can obtain system information by querying the Win32_ComputerSystem, Win32_BIOS, Win32_MotherboardDevice, Win32_PnPEntity, and Win32_DiskDrive WMI objects. |
| enterprise |
T1016 |
System Network Configuration Discovery |
- |
| enterprise |
T1016.001 |
Internet Connection Discovery |
DarkTortilla can check for internet connectivity by issuing HTTP GET requests. |
| enterprise |
T1007 |
System Service Discovery |
DarkTortilla can retrieve information about a compromised system’s running services. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
DarkTortilla has relied on a user to open a malicious document or archived file delivered via email for initial execution. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.001 |
System Checks |
DarkTortilla can search a compromised system’s running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie. |
| enterprise |
T1497.003 |
Time Based Evasion |
DarkTortilla can implement the kernel32.dll Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package. |
| enterprise |
T1102 |
Web Service |
DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin. |
| enterprise |
T1047 |
Windows Management Instrumentation |
DarkTortilla can use WMI queries to obtain system information. |