Dark Tequila: A threat for Mexican bank clients

Share this…

This malware campaign has been active since 2013 and targets victims in Mexican territory

Cyber security organization specialists are following the tracks behind an undergoing malicious campaign in Mexico relying on a really complex tool, designed to steal financial information and login credentials for popular websites. The campaign, known as Dark Tequila, shows an unusually sophisticated support infrastructure, especially for a financial fraud campaign.

“A multi-stage payload reaches the victim only under determined conditions; Dark Tequila avoids infection when the security suites are installed or the sample is running in an analysis environment”, as mentioned by cyber security organization experts last Tuesday.

The researchers were able to deduce from the list of objectives recovered from the final payload that the campaign tries to reach clients of several Mexican banking institutions. The payload contains comments embedded in the code written in Spanish, using regional words that are only used in Latin America.

In the current year, researchers reported to different media that have found about 30K campaign targets, and because they have no full visibility of the problem, the total number of targets for the attack should be even bigger.

This recently disclosed malware has slowly become the focus of attention for cyber security organization experts.

According to reports from various firms, the Dark Tequila campaign has been active for 5 years, time in which different tests have been carried out, but without the possibility of obtaining a global vision of the problem.

Dark Tequila gets spread using two widely known infection vectors: spear-phishing and USB device infection, through one of the malware modules. After the victim’s systems have been infected, the different modules are decrypted and activated when the command server is prompted.

The malware features six modules, including a surveillance service module responsible for ensuring that it is running correctly; a thief of information that removes saved passwords in the browsers; and a keylogger and the Windows Monitor module, which steals credentials from online banking sites, online flight booking systems, Microsoft Office365, Amazon, GoDaddy, among others.

Malware also extracts websites login credentials ranging from code repositories to public file storage accounts and domain registrars. All stolen data is loaded on the server in encrypted form.

Another module is responsible for communicating with the command and control server and verifying that a Man-in-the-Middle (MiTM) network check is being performed. Dark Tequila also detects “suspicious” activities in the system, such as running on virtual machines, and then runs a complete system cleanup module to eradicate any persistence services.

Cyber security organization specialists from the International Institute of Cyber Security report that the campaign remains active, and could be deployed anywhere in the world, making it a considerable threat.