DarkTortilla
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
DarkTortilla has used HTTP and HTTPS for C2.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
DarkTortilla has established persistence via the `Software\Microsoft\Windows NT\CurrentVersion\Run` registry key and by creating a .lnk shortcut file in the Windows startup folder.(Citation: Secureworks DarkTortilla Aug 2022) |
| .004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
DarkTortilla has established persistence via the `Software\Microsoft\Windows NT\CurrentVersion\Winlogon` registry key.(Citation: Secureworks DarkTortilla Aug 2022) |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
DarkTortilla can use `cmd.exe` to add registry keys for persistence.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1574 | .012 | Hijack Execution Flow: COR_PROFILER |
DarkTortilla can detect profilers by verifying the `COR_ENABLE_PROFILING` environment variable is present and active.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
DarkTortilla can download a keylogging module.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
DarkTortilla has used the `WshShortcut` COM object to create a .lnk shortcut file in the Windows startup folder.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
DarkTortilla has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
DarkTortilla can use a .NET-based DLL named `RunPe6` for process injection.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
DarkTortilla can check for the Kaspersky Anti-Virus suite.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
DarkTortilla can check for internet connectivity by issuing HTTP GET requests.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
DarkTortilla has relied on a user to open a malicious document or archived file delivered via email for initial execution.(Citation: Secureworks DarkTortilla Aug 2022) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
DarkTortilla can search a compromised system's running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.(Citation: Secureworks DarkTortilla Aug 2022) |
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
DarkTortilla can implement the `kernel32.dll` Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.(Citation: Secureworks DarkTortilla Aug 2022) |
||
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.