Dark Tequila: A complex banking malware targeting Latin America since 2013

Aurel Dragan 21/08/2018 | 15:29

A sophisticated cybernetic operation, called Dark Tequila, has targeted Mexican users for at least five years, robbing authenticating banking data, information about individual users and companies, with malware that can “travel” in the victim’s computer even when this is offline. According to Kaspersky Lab researchers, malware spreads through infected USB devices and targeted phishing and includes detection features. It is believed that the author behind Dark Tequila speaks Spanish and comes from Latin America.

Dark Tequila malware and support infrastructure are unusually sophisticated for financial fraud. The threat focuses mainly on the theft of financial information, but once inside a computer, it steals login data from other sites, including some popular, collecting personal and business email addresses, domains, file storage, and more – that were likely to be sold or used in future operations. Examples include Zimbra email clients and sites for Bitbucket, Amazon, GoDaddy, Network Solutions, Dropbox, and RackSpace.

Malware has several stages of infection and is distributed to users via infected USB devices and targeted phishing emails. Once in the computer, the malware contacts the command and control server for instructions. The process of infecting a victim occurs only if a few technical conditions of the network are met. If malware detects an installed security solution, network monitoring activity, or signs that the sample is being analyzed in an environment like a virtual sandbox, it stops the infection process and disappears from the system.

If none of these are detected, the malware activates the local infection and copies an executable file to an external drive to launch it automatically. This allows malware to run offline via the victim’s network, even if only one device was compromised through targeted phishing. When another USB is connected to a compromised computer, it is automatically infected and ready to spread the malware onto another target.

The dangerous implant contains all the modules required for the operation, including a key-logger and window monitoring capability to obtain login and other personal information. When I get the command from the command and control server, various modules are activated. All stolen data is uploaded to the server in encrypted form.

Dark Tequila has been active since 2013, targeting users in or related to Mexico. Based on Kaspersky Lab’s analysis, the presence of Spanish words in the code and proof of knowledge of that area suggest that the authors of this operation are from Latin America.

“At first glance, Dark Tequila looks like any other bank trojan that hunts information and authentication data to get financial gains, but more careful analysis shows a complexity of malware maliciously encountered in financial threats,” says Dmitry Bestuzhev, Head of Global Research and Analysis Team, Latin America, Kaspersky Lab. “The modular structure of the code and its ability to hide it helps avoid detection mechanisms and trigger the infection process only when it decides that it is safe to do so. This campaign has been active for many years and new samples are still found. So far, he has only attacked targets in Mexico but has the technical ability to attack victims from any part of the world. “

Kaspersky Lab products detect and block the Dark Tequila malware so it recommends that users take the following steps to protect themselves from phishing and attacks from external devices such as USB sticks.

All users:

  • Check the email attachments with the antivirus solution before opening them
  • Disable auto-run for USB devices
  • Check the USB drivers with the antivirus solution before opening them
  • Do not connect unknown devices and USB sticks to your device
  • Use a security solution with strong additional protection against financial threats.

Companies are also advised:

  • If it is not necessary for the company, lock the USB ports on the user’s devices
  • Make sure you manage the use of USB devices properly: determine what USBs can be used, by whom and for what purpose
  • Inform employees about safe practices about USB – especially if the device is walked between your home and work computer.
  • Do not leave USB visible.
BR Magazine | Latest Issue

Download PDF: Business Review Magazine March (II) 2024 Issue

The March (II) 2024 issue of Business Review Magazine is now available in digital format, featuring the main cover story titled “BAT DBS Romania Hub: A Vibrant New Office For An Employee-Centric
Aurel Dragan | 27/03/2024 | 17:32
Advertisement Advertisement
Close ×

We use cookies for keeping our website reliable and secure, personalising content and ads, providing social media features and to analyse how our website is used.

Accept & continue