Security experts from Kaspersky Labs have spotted a sophisticated strain of banking malware dubbed Dark Tequila that was used to target customers of several Mexican financial institutions.
According to the researchers, the complex Dark Tequila malware went undetected since at least 2013.
Dark Tequila is a multistage malware that spreads via spear-phishing messages and infected USB devices.
The malware steals financial data from a long list of online banking sites from infected systems, it is also able to gather credentials to popular websites, business and personal email addresses, domain registers, and file storage accounts.
The list of websites targeted by the malware includes “Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.”
“Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.” reads the analysis published by Kaspersky.
“A multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when security suites are installed or the sample is being run in an analysis environment.”
Kaspersky highlighted that the level of sophistication of the threat is unusual for financial fraud schemes, it implements complex evasion techniques. The malware is delivered only if certain technical conditions are met, it is able to detect analysis environments and security solutions. infection.
Dark Tequila campaign delivers an advanced keylogger that went undetected at least for five years due to its highly targeted nature and a few evasion techniques.
According to the experts, the threat actor behind the Dark Tequila malware strictly monitors and controls all operations. In case the malware casually infects a system, a machine that is not in Mexico or that is not of interest, the malware is uninstalled remotely from the victim’s machine.
Dark Tequila has a modular structure, Kaspersky listed the following 6 primary modules:
The Dark Tequila campaign is still active, further details including the IoCs are reported in the blog post published by Kaspersky.