Dark Tequila Keylogger

Dark Tequila Keylogger Attacks Mexican Banks

One Tequila, Two Tequila, Three Tequila, Floor!  A malware that has been actively attacking customers of several Mexican banking institutions since 2013 has been named Dark Tequila by security researchers at Kaspersky Labs.

Dark Tequila Malware

Dark Tequila is an advanced keylogger malware that is composed to steal victims’ financial information from a list of online banking sites, along with login credentials from popular websites.

“Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services,” according to researchers.

From there, Dark Tequila ranges from code versioning repositories to public file storage accounts and domain registrars.

But… How?!

Getting Dark Tequila is no accident.  This keylogger is either delivered to a victims’ computer by spear-phishing or an infected USB device.

Once executed, a multi-stage payload infects the victim’s computer only after certain conditions are met, which includes checking if the infected computer has any antivirus or security suite installed or is running in an analysis environment.

Researchers continue to say that, “the threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine,”

Dark Tequila’s 6 Modules

  1. 1. C&C – This part of the malware manages communication between the infected computer and the command and control (C&C) server and also responsible for monitoring man-in-the-middle attacks to defend against malware analysis.
  2. 2. CleanUp – While performing evasion techniques, if the malware detects any ‘suspicious’ activity—like running on a virtual machine or debugging tools—it performs a full cleanup of the infected system, removing the persistence service as well as forensic evidence of its presence.
  3. 3. Keylogger – This module has been designed to monitor the system and logs keystrokes to steal login credentials for a preloaded list of websites—both banking as well as other popular sites.
  4. 4. Information Stealer – This password stealing module extracts saved passwords from email and FTP clients, as well as browsers.
  5. 5. The USB Infector – This module replicates itself and infects additional computers via USB drives. It copies an executable file to a removable drive that runs automatically when plugged to other systems.
  6. 6. Service Watchdog – This module is responsible for making sure that the malware is running properly.

As stated by researchers, the Dark Tequila campaign is effective today and can be utilized in any part of the world according to the interest of the cybercriminal behind it.

How to Prevent Dark Tequila

In order to steer clear of Dark Tequila, it is great practice to be suspicious of all emails and to keep your antivirus up-to-date against such malware before they attack you or your network.

Since another way your computer can get attacked is by an infected USB drive, do not insert untrusted removable and USB devices to your computer.  As an extra security precaution, consider disabling auto-run on USB devices.

Original Article Found Here.

  • 1