back to article After 7 years, long-term threat DarkTortilla crypter is still evolving

A highly pervasive .NET-based crypter that has flown under the radar since about 2015 and can deliver a wide range of malicious payloads continues to evolve rapidly, with almost 10,000 code samples being uploaded to VirusTotal over a 16-month period. Dubbed "DarkTortilla," the crypter usually delivers information stealers and …

  1. Pascal Monett Silver badge

    What ?

    "Because its primary payload is executed within memory, no evidence of the payload will be found on the filesystem"

    I seem to recall that Windows Defender scans the RAM in addition to the principle areas of the system disk. I would be very surprised if the major anti-virus companies do not do the same.

    Could someone please explain to me how this sentence is possible ?

    1. Google

      Re: What ?

      Quite.

      "The malicious payload comes in an attachment with a range of file types, from .zip and .iso to .img and .tar., " Even then, your email client will save the attachment to a temporary files directory before extraction of the executable loader and DLL containing the processor. There's your evidence on the filesystem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like