Kaspersky researchers released intel on the “Dark Tequila” campaign that’s targeting Mexico with the primary function of stealing financial information.
The malware also steals login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.
There are two known methods of infection, spear-phishing and infected USB devices.
Picture via Kaspersky
Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
This campaign dates back to 2013 according to Kaspersky and still remains currently active.
Indicators of Compromise
- Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter based devices.
- Use updated anti-virus and ensure your current vendor has coverage for this campaign.
- Search for existing signs of the indicated IOC’s in your environment and email systems.