Dark Tequila Banking malware targets Latin America since 2013
21.8.18 securityaffairs Virus
Kaspersky Labs detected a sophisticated piece of banking malware dubbed Dark Tequila that was used to target customers of several Mexican banks.
Security experts from Kaspersky Labs have spotted a sophisticated strain of banking malware dubbed Dark Tequila that was used to target customers of several Mexican financial institutions.
According to the researchers, the complex Dark Tequila malware went undetected since at least 2013.
Dark Tequila is a multistage malware that spreads via spear-phishing messages and infected USB devices.
The malware steals financial data from a long list of online banking sites from infected systems, it is also able to gather credentials to popular websites, business and personal email addresses, domain registers, and file storage accounts.
The list of websites targeted by the malware includes “Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.”
“Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.” reads the analysis published by Kaspersky.
“A multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when security suites are installed or the sample is being run in an analysis environment.”
Kaspersky highlighted that the level of sophistication of the threat is unusual for financial fraud schemes, it implements complex evasion techniques. The malware is delivered only if certain technical conditions are met, it is able to detect analysis environments and security solutions. infection.
Dark Tequila campaign delivers an advanced keylogger that went undetected at least for five years due to its highly targeted nature and a few evasion techniques.
According to the experts, the threat actor behind the Dark Tequila malware strictly monitors and controls all operations. In case the malware casually infects a system, a machine that is not in Mexico or that is not of interest, the malware is uninstalled remotely from the victim’s machine.
Dark Tequila has a modular structure, Kaspersky listed the following 6 primary modules:
Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
The Dark Tequila campaign is still active, further details including the IoCs are reported in the blog post published by Kaspersky.