Skip to main content

The Dark Tequila malware and its supporting infrastructure are unusually sophisticated for financial fraud operations. The threat is focused mainly on stealing financial information, but once inside a computer it also siphons off credentials to other sites, including popular websites, harvesting business and personal email addresses, domain registers, file storage accounts, and more, possibly to be sold or used in future operations. Examples include Zimbra email clients and the websites for Bitbucket, Amazon, GoDaddy, Network Solutions, Dropbox, RackSpace, and others.

The malware carries a multi-stage payload and is distributed to users through infected USB devices and spear-phishing emails. Once inside a computer, the malware makes contact with its command server in order to receive instructions. The payload is delivered to the victim only when certain technical network conditions are met. If the malware detects an installed security solution, network monitoring activity or signs that the sample is bring run in an analysis environment, such as a virtual sandbox, it stops the infection routine and clears itself from the system.

If none of these is found, the malware activates the local infection and copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.

The malicious implant contains all the modules required for the operation, including a key-logger and windows monitoring capability for capturing login details and other personal information. When instructed to do so by het command server, different modules decrypt and activate. All stolen data is uploaded to the server in encrypted form.

Dark Tequila has been active since at least 2013, targeting users in Mexico or connected to that country, Based on Kaspersky Lab’s analysis, the presence of Spanish words in the code and evidence of local knowledge suggest the threat actor behind the operation is from Latin America.

“At first sight, Dark Tequila looks like any other banking Trojan, hunting information and credentials for financial gain. Deeper analysis, however, reveals a complexity of malware not often seen in financial threats. The code’s modular structure and its obfuscation and detection mechanisms help it to avoid discovery and to deliver its malicious payload only when the malware decides it is safe to do so. This campaign has been active for several years and new samples are still being found. To date it has only attacked targets in Mexico, but its technical capability is suitable for attacking targets in any part of the world.” said Dmitry Bestuzhev, Head of Global Research and Analysis Team, Latin America, Kaspersky Lab.

Kaspersky Lab products successfully detect and block Dark Tequila-related malware.

Kaspersky Lab advises users to take the following measures to protect themselves from spear-phishing and attacks through removable media such as USBs

For all:

  • Check any email attachments with anti-virus security before opening
  • Disable auto-run from USB devices
  • Check USB drives with your anti-virus security before opening
  • Don’t connect unknown devices and USB sticks to your device
  • Use a security solution with additional robust protection against financial threats

Businesses are also advised to ensure that:

  • If they are not required for business, block the USB ports on user devices
  • Manage the use of USB devices: define which USB devices can be used, by whom and for what
  • Educate employees on safe USB practices – particularly if they are moving the device between a home computer and a work device
  • Don’t leave USBs lying around or on display

For further information on Dark Tequila, including Indicators of Compromise, read the blog on Securelist.

Dark Tequila: complex banking malware operating since at least 2013

A sophisticated cyber-operation code-named Dark Tequila has been targeting users mainly in Latin America and in particular Mexico, for at least the last five years, stealing bank credentials, personal and corporate data with malware that can move laterally through the victim computer while offline. According to Kaspersky Lab researchers, the malicious code spreads through infected USB devices and spear-phishing and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.
Kaspersky Logo