Researchers have been tracking an ongoing malicious campaign targeting victims in Mexico, with a highly crafted tool built to steal financial information and login credentials for popular websites.
Researchers at Kaspersky Lab said today that the campaign, dubbed Dark Tequila, and its supporting infrastructure are unusually sophisticated, especially for a financial fraud operation — with its operations distilled down to a set of highly targeted and effective attack modules.
“A multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when security suites are installed or the sample is being run in an analysis environment,” they said in a Tuesday post.
Researchers were able to deduce from the target list retrieved from the final payload that the campaign targets customers of several Mexican banking institutions. The payload contains comments embedded in the code written in the Spanish language, using regional words only spoken in Latin America, they said.
Already in 2018, researchers told Threatpost they have seen 30,000 campaign targets – and because they don’t have full visibility, the total number is even higher.
The newly-disclosed malware has slowly come into focus for researchers.
“The Dark Tequila campaign has been active since at least 2013, so all these years we have analyzed and detected its samples but never had a chance to take a global clustered look on it,” Dmitry Bestuzhev, director of Kaspersky Lab’s global research and analysis team in Latin America, told Threatpost. “By the end of 2017… we were able to understand it’s an organized campaign, and then we started our research calling it Dark Tequila because of its roots.”
Dark Tequila spreads using two known infection vectors: spear-phishing and infection by USB device (via one of the malware’s modules).
After the victim systems are infected, different modules decrypt and activate when instructed to do so by the command server.
The malware features six modules, including a service watchdog module responsible for making sure it’s running properly; an information-stealer that steals saved passwords from browsers, as well as email and FTP clients; and a keylogger and Windows Monitor module, which steals credentials from online banking sites, online flight reservation systems, Microsoft Office365, Amazon and GoDaddy, among others.
The malware also interestingly scoops login credentials from websites ranging from code-versioning repositories to public file storage accounts and domain registrars. All stolen data is uploaded to the server in encrypted form.
Another module is responsible for communicating with the command-and-control server, and verifying a man-in-the-middle (MiTM) network check is being performed (it does so by validating the certificates with a few very popular websites).
Dark Tequila also sniffs out “suspicious” activity around the system – such as whether it’s running on a virtual machine or if debugging tools are running in the background – and then executes a module to perform a full cleanup of the system and remove any persistence service.
The final module is a USB infector that copies an executable file to a removable drive to run automatically – enabling the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. So, when another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
This technique is especially useful for the threat actor when the targeted network is not connected to the rest of the world via internet or even email, Bestuzhev told Threatpost.
“USB propagation increases the number of infected machines and basically depends on how many USB devices and how frequently are being used in the victim’s network,” Bestuzhev told us. “While email is the initial infection vector, the USB [module] brings additional lateral movement propagations, which result in a higher number of infections.”
Bestuzhev said that the threat actor behind Dark Tequila knows Mexico well, making researchers speculate that the actor is linked or connected to the country in some way.
“The threat actor behind it strictly monitors and controls all operations,” researchers said. “If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine.”
The campaign remains active, warned researchers, and “is designed to be deployed in any part of the world, and attack any targets according to the interests of the threat actor behind it.”