Threat Watch

DarkTortilla Used on Grammarly and Cisco Phishing Sites

The .NET-based malware DarkTortilla has recently been observed in active campaigns by researchers from Cyble Research and Intelligence Labs (CRIL). Various stealers and Remote Access Trojans (RATs) are being used along with DarkTortilla, including AgentTesla, AsyncRAT, NanoCore, and others. DarkTortilla has been operating in various capacities since 2015. The threat actors behind this most recent campaign have created phishing sites that mirror the legitimate pages for Grammarly and Cisco. The malicious links are being distributed via spam emails or various online ads. Once users visit these sites, the infection of DarkTortilla begins if malicious samples are downloaded.

ANALYST NOTES

Some recommendations from the source article include:

• Do not open suspicious links in emails.
• Do not download the software from untrusted sources.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.

It is worth noting that if a link is visited and seems suspicious, it is recommended to navigate directly to the legitimate website to determine if the original link is fraudulent.

Beware of Highly Sophisticated DarkTortilla Malware Distributed Via Phishing Sites