Security researchers at Kaspersky Labs recently discovered malware for Mexican computer users called “Dark Tequila.” It is worth noting that Dark Tequila was not developed newly. Instead, attacks based on this malware can be traced back at least to 2013. In other words, the malware has been raging in Mexico for at least five years.
Researchers say that Dark Tequila developers use a variety of techniques to circumvent security detection, such as its ability to detect whether it is running on a virtual machine or debugging tool. Also, the attacker is highly targeted in selecting the target of the attack (only for customers of several Mexican banks), making it active until now.
Dark Tequila is designed to steal the victim’s financial information from an online banking website (this involves a pre-built list of many online banking websites) and to take the victim’s login credentials from some famous websites (also including a copy) A pre-built list of websites, including online code storage repositories, online file sharing sites, and domain registrars).
In general, the target sites included in the preset list are: Universal Cpanel Virtual Machine Control System, Plesk Virtual Machine Control System, Online Ticket Booking System, Microsoft Office 365, IBM Lotus Notes Client, Zimbra Email, Source Code hosting sites Bitbucket, Amazon, domain registrar GoDaddy, domain registrar Register, domain registrar Namecheap, Dropbox network disk, SoftLayer (currently the world’s largest IDC company), Rackspace (hosted server and cloud computing provider) and other services .
It should be noted that the malware is uploaded to the victim’s computer via spear phishing or infected USB devices. After a successful upload, it first performs various checks, including checking if the computer has anti-virus software installed, or if it is running in an analytics environment. Only after ensuring “safety” will it begin to perform its malicious acts.
According to Kaspersky Lab researchers, the Dark Tequila malware consists of six main modules, as follows:
- Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
- Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
- Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
- Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
- Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
- Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
The researchers stressed that Dark Tequila malware is still being used. Although it has only been used for customers of Mexican banks so far, it can be used in other countries or even in any industry, and it depends entirely on the interests of the attackers.
As described above, Dark Tequila is spread by email and infected USB devices. Therefore, being alert to any suspicious emails and scanning them for viruses before using any USB device is the most direct way to prevent such threats.