Cybercriminals never stop in their quest for money and have no intention of doing so – the more schemes they’re able to come up with, the better it is for their financial well-being. It’s also good for them when their deeds go hidden, as it allows them to make profit without having to look over their shoulder and avoid potential punishment. Such was the case with Dark Tequila, which has been attacking Mexican bank customers since 2013 and had only now come to light. Its purpose lies in stealing financial information and log-in credentials for a variety of popular online services.
The discovery was made by Kaspersky Lab on August 21, 2018 and the multi-stage, highly modular threat has been employing spear phishing scams in its attacks. People behind it are said to come from Latin America and be speaking Spanish. Kaspersky, via the blog post, also adds that compromised USB drives were used to achieve that goal. The final payload is supposed to target Microsoft Office 365, Amazon, Register, Dropbox, Zimbra email, Softlayer, Rackspace, Namecheap, GoDaddy, Bitbucket, IBM lotus notes clients, web hosting control panels cPanels and Plesh, online flight reservation systems, Mexican banks and much, much more.
The total amount of Dark Tequila modules that have been successfully identified by Kaspersky is six. The first of those makes command-and-control server communication possible. With its help, all the other modules are controlled remotely and the instructions are given to them, such as decrypt and activate. Per Kaspersky, “it verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.” As far as other modules go, the second one includes combination keylogger and Windows Monitor. They’re used to steal personal data from services mentioned above and there’s also an information stealer that transfers passwords from emails, FTP clients and Internet browsers to con artists – this is the third module. All of the data is then encrypted and uploaded to the C&C server.
It doesn’t end here, however. Cybercriminals have put a lot of detail and care into their creation, as it’s also equipped with a module that helps destroy any traces of Dark Tequila if it finds itself in a research environment. The virus is capable of recognizing anti-bugging environments, virtual machines and devices that have security software installed on them. For that reason, it doesn’t even launch itself and stays in the shadows until it sees that there’s no danger involved and that it’s absolutely safe to begin operations. This is the fourth discovered module.
The fifth one is there to compromise USB, doing so by copying Dark Tequila to removable drives that came in contact with the computer having this malware inside of it. The sixth and final one exists to ensure that there’re no disruptions in this threat’s operations and that it’s running the way it should. Kaspersky notes that users from other parts of the world shouldn’t take the virus lightly due to its Mexican field of operations – it can easily switch focus and target any other system. It also says that malware connected to Dark Tequila is “unusually sophisticated” for something like this. All in all, it’s a dangerous scheme and one that should be prevented from unfolding at all costs. Security software needs to always be kept up-to-date and running, and anything that raises suspicions on the Internet is best to avoid. Doing this should be enough to significantly reduce the possibility of this type of threat breaking inside the device and firmly guard all the information stored on it.