Tortilla

Description

(Talos) Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.

The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines.

We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Names

Name	Name-Giver
Tortilla	TG Soft

Country

Unknown

Motivation

Financial gain

First Seen

2021

Observed Countries

Tools

Information

https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

Other Information

Uuid

25af3745-49fb-4e81-b341-6e7395349970

Last Card Change

2021-11-04

Threat Intelligence Garden

Explorer

Tortilla

Tortilla

Description

Names

Country

Motivation

First Seen

Observed Countries

Tools

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks