This article was published on August 21, 2018

Dark Tequila is a sophisticated banking malware targeting victims in Mexico

Dark Tequila knows how to infect a victim and stay quiet.


Dark Tequila is a sophisticated banking malware targeting victims in Mexico

Security researchers at Kaspersky Lab have uncovered a sophisticated cybercrime outfit called Dark Tequila, which targets banking customers in Mexico and other Latin American nations.

Kaspersky believes Dark Tequila has been active since 2013, primarily in Mexico. The outfit’s main weapon is an advanced malware program which the Russian security firm described as “unusually sophisticated.” Based on the company’s analysis of the code, it believes the developer is Spanish-speaking and Latin American in origin.

At the heart of it, the Dark Tequila malware exists to gather data on its victim — be that banking credentials, or personal or corporate data. As it silently sits on the user’s hard drive, it slurps up credential for services like RackSpace, BitBucket, and DropBox, which can be used further down the line to stage additional attacks.

What makes it especially interesting is how it’s delivered to users. According to Kaspersky Lab, the primary method of transmission is spear phishing and infected USB flash drives. The latter is an extremely effective propagation method for several reasons, as people are intrinsically curious; appreciate a freebie; and aren’t sufficiently aware of the risks associated with using untrusted USB flash drives.

Once the malware is on the user’s computer, it connects to a remote command-and-control server, and downloads a payload. This only happens if the malware believes it’s on a genuine victim’s computer, and not, for example, in a quarantined analysis environment.

The Dark Tequila malware contains a keylogger and network monitoring tool, and crucially, is able to self-propagate. This means that should the victim insert a USB flash drive into their computer, the malware will clone itself, ready to infect a new person. This, incidentally, is how the Stuxnet virus was believed to have spread.

In a statement, Dmitry Bestuzhev, Head of the Global Research and Analysis Team at Kaspersky, stressed the dangers posed by Dark Tequila, emphasizing that it has the potential to be used across the world.

“At first sight, Dark Tequila looks like any other banking Trojan, hunting information and credentials for financial gain. Deeper analysis, however, reveals a complexity of malware not often seen in financial threats. The code’s modular structure and its obfuscation and detection mechanisms help it to avoid discovery and to deliver its malicious payload only when the malware decides it is safe to do so.”

“This campaign has been active for several years and new samples are still being found. To date it has only attacked targets in Mexico, but its technical capability is suitable for attacking targets in any part of the world,” he added

Kaspersky Lab says its products can “detect and block” Dark Tequila-related malware. The firm also offered some generic, but still useful, advice, including disabling auto-run on USB devices, and avoiding connecting unknown devices and USB sticks to your computer.

Get the TNW newsletter

Get the most important tech news in your inbox each week.