Recently researchers at Kaspersky Labs have uncovered a new, complex malware campaign targeting Mexican users. The malware was dubbed Dark Tequila.
Dark Tequila has been active at least since 2013
The Dark Tequila malware campaign has been targeted Mexican banking customers for at least five years, since 2013.
Dark Tequila has been distributing advanced keylogger malware, which has not been detected for at least 5 years of activity. The malware has avoided being detected due to its advanced evasion methods and highly targeted nature.
Dark Tequila aims to steal the targets’ financial credentials and other sensitive banking information from banking sites, and credentials to various websites that range from code versioning repositories to public file storage accounts and domain registrars.
Some of the targeted websites include Cpanels, Plesk, Microsoft 365, IBM Lotus Notes clients Amazon, GoDaddy, Dropbox and other popular services.
Dark Tequila is distributed via spear-phishing and infected USB devices. It is worth to mention that the malware is only capable to infect a victim’s device under certain conditions: the infected machine should not have any antivirus system installer or should not be running in an analysis environment.
Kaspersky Lab detects the campaign as Trojan.Win32.DarkTequila and Trojan.Win64.DarkTequila.
In addition, the researchers noted that “the threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine.”
The malware contains six primary modules, that include the following:
- C&C – The C&C part of Dark Tequila is responsible for communication between the compromised devices and the command and control, also known as C&C servers.
- CleanUp – as it was mentioned before, the malware performs evasion methods, and if there are any ‘suspicious’ activity detected, Dark Tequila performs a full cleanup.
- Keylogger – the Keylogger module was created in order to perform monitoring of the system. It logs keystrokes and attempts to steal user credentials.
- Information Stealer – this module is able to extract saved credentials from email, FTP customers, and Internet browsers.
- The USB Infector is able to replicate itself in order to distribute the malware via USB drives.
- Service Watchdog – the service watchdog module makes sure that the Dark Tequila malware runs properly.
The malware campaign is still active: Be Careful!
Security researchers also noted that even though the Dark Tequila malware campaign is uncovered but it remains active.
Users across the globe should be vigilant since the Dark Tequila malware campaign is designed to be deployed in other parts of the world.