What Is It?
A new malware, named Dark Tequila, is designed to obtain financial information and various types of login credentials. Researchers at Kaspersky Labs released a report detailing the sophisticated trojan that has been targeting Mexican users since 2013. Researchers believe the authors are native Spanish speakers and are geographically-based somewhere in Latin America.
The malware consists of six modules and takes steps to protect itself from detection by only installing the main payload modules if certain conditions are met. The initial component makes contact with the command and control (C2) server and obtains the second module. This module checks to see if any security products are present, if there are any network monitoring or debugging tools running or if the malware is being executed in a virtual machine. If any of these criteria are met, the malware will remove itself and any potential forensic evidence.
The authors are quite hands-on in their monitoring of infections and if an infected system is not in Mexico or not considered interesting, the malware will uninstall itself.
The purpose of the main malware modules is to obtain credentials from various Mexican financial institutions, web hosting control panels (Cpanels and Plesk), Office 365, IBM Lotus Notes, Bitbucket, Amazon, GoDaddy, Namecheap, Dropbox, Softlayer, Rackspace and others. An information stealer module extracts passwords from email and FTP clients and browsers. Any data obtained is encrypted and uploaded to the C2 server. A USB infector module allows the malware to propagate by infecting any removable drives attached to infected systems.
This threat is still active and could be deployed to any other geographical region the attackers may choose in future.
How Does It Propagate?
The Dark Tequila malware includes a USB infector module that it can use to propagate. The initial infection vector is either spear phishing emails or via an infected USB device.
When/How Did BluVector Detect It?
Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown that despite the samples being released in November 2015, both samples would still have been detected a further 23 months prior to that date.