Security Researchers Uncover Dark Tequila Banking Malware
Kaspersky Lab researchers have discovered Dark Tequila, a new, complex malware campaign that has been targeting users, especially bank customers, in Mexico for at least five years. The hackers behind the campaign, executed through spear-phishing emails and infected USB devices, have thus been stealing banking data, personal data, corporate data etc. It’s estimated, because of the presence of Spanish words in the code and evidence of local knowledge, that whoever is behind the campaign is Latin American and Spanish-speaking.
A press release from Kaspersky Labs states- ” Kaspersky Lab has discovered a sophisticated cyber-operation named Dark Tequila that has been targeting users in Mexico for at least the last five years, stealing bank credentials, personal and corporate data with malware that can move laterally through the victim computer while offline. According to the researchers, the malicious code spreads through infected USB devices as well as spear-phishing emails and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.”
The campaign, which delivers an advanced keylogger malware, remained undetected at least since 2013; this was possible because of the malware’s highly targeted nature and the features included that made evading detection possible. The malware, primarily designed to steal financial data from banking sites, would also steal other login credentials.
The Kaspersky press release explains- “The Dark Tequila malware and its supporting infrastructure are unusually sophisticated for financial fraud operations. The threat is focused mainly on stealing financial information, but once inside a computer, it also siphons off credentials to other sites, including popular websites, harvesting business and personal email addresses, domain registers, file storage accounts and more, possibly to be sold or used in future operations. Examples include Zimbra email clients and the websites for Bitbucket, Amazon, GoDaddy, Network Solutions, Dropbox, RackSpace and others.”
As mentioned earlier, the Dark Tequila malware makes its way into a system through spear-phishing emails or via infected USB devices. Once it infects a system, the malware works in a very sophisticated manner. It would make contact with the command server and then download the payload, but all these happen only if certain conditions are met. The malware would look for installed security software or network monitoring activities. It will also check if there is something like a virtual sandbox that tests samples by running them in an analysis environment. If it detects any such thing, the malware would simply clear itself from the system.
If there is no security software, monitoring activity or sandbox-like technology being applied in the infected system, the malware would activate its local infection. An executable file is copied to a removable drive to run automatically. This would enable the malware to move offline through the whole network to which the infected system is connected. This way it infects other systems as well. In the meantime, if a USB device is connected to an infected computer, it proves instrumental in taking to malware to another computer.
The malware includes a keylogger plus Windows monitoring capability, helping it capture personal data and login credentials. The modules that make all this possible decrypt and activate as per instructions from the net command server. The breached data is encrypted and uploaded to the server.
The Kaspersky press release quotes Dmitry Bestuzhev, head of Global Research and Analysis Team, Latin America, as saying, “At first sight, Dark Tequila looks like any other banking Trojan, hunting information and credentials for financial gain. Deeper analysis, however, reveals a complexity of malware not often seen in financial threats…The code’s modular structure, as well as its obfuscation and detection mechanisms, help it to avoid discovery and deliver its malicious payload only when the malware decides it is safe to do so. This campaign has been active for several years and new samples are still being found. To date, it has only attacked targets in Mexico, but its technical capability is suitable for attacking targets in any part of the world.”
To ensure protection from Dark Tequila, users should adopt some basic protection techniques. They must scan email attachments with antivirus software before opening, disable auto-run on USB devices, scan USB devices while using, avoid connecting unknown devices or USB sticks to a device and use the best of security software.
Businesses should adopt some stringent measures like blocking USB ports on systems, ensuring proper management of USB devices that are connected to the enterprise network, and educating staff on safe USB practices.
Remember, as pointed out by the experts, the Dark Tequila campaign, which is still active, can be deployed in any part of the world.
Julia Sowells947 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.