The citizens of Mexico are being served with a rather unpalatable form of tequila — a dark version — and the name given to a threat group which has been covertly stealing valuable data from its victims for years.
On Tuesday, researchers from Kaspersky Lab revealed the existence of Dark Tequila, a threat group which has been active since 2013.
Specifically targeting users in Mexico for at least five years, Dark Tequila steals bank credentials, as well as personal and corporate data in covert surveillance operations made possible through a form of malware able to move across networks without the need for Internet access.
Dark Tequila malware spreads through general and spear-phishing campaigns, and the malware is also able to propagate through infected USB devices, which makes it a serious threat against not only your average citizen but also corporate networks.
The security researchers believe the threat actors behind the campaign are Spanish-speaking and potentially Latin American due to the use of the Spanish language and clues in the code which suggests local knowledge.
Kaspersky says that the Dark Tequila Trojan is “unusually sophisticated for financial fraud operations,” as the malicious code’s purpose goes beyond the direct theft of financial information stored on an infected system.
Once a PC has been infected, the malware contacts its command-and-control (C&C) server for instructions and will only release its credential-stealing payload once it appears safe to do so.
For example, should security solutions be detected or sandboxing — which indicates the malware may be under the magnifying glass of security researchers — the infection routine is stopped and Dark Tequila will delete any traces of itself.
However, if system conditions are considered safe, the Trojan will copy an executable file to a removable drive to run automatically — giving the malware the opportunity to spread through a network from only one infected source.
Any USB drives connected to the compromised system from this point will also become infected.
The malware contains modules including keyloggers and screen monitoring systems able to screenshot and capture login details. While banking credentials are the top priority, Dark Tequila will also go on the hunt for any other stored credentials which are used to access online services.
Everything from email addresses, domain registers, file storage accounts and more are at risk of theft. Kaspersky says that credentials used to access popular services such as Amazon, GoDaddy, Network Solutions, Dropbox, and RackSpace are also on the table.
Stolen data is then encrypted and uploaded to the C&C server.
“At first sight, Dark Tequila looks like any other banking Trojan, hunting information and credentials for financial gain,” said Dmitry Bestuzhev, head of Global Research and Analysis Team, Latin America, Kaspersky Lab. “Deeper analysis, however, reveals a complexity of malware not often seen in financial threats. The code’s modular structure, as well as its obfuscation and detection mechanisms, help it to avoid discovery and deliver its malicious payload only when the malware decides it is safe to do so.”
New samples of the malware are still being discovered which suggests the campaign is still very much alive.
To date, only Mexican targets have been on the radar, but Kaspersky says that the threat actors’ capabilities make it feasible that the malware may spread worldwide.