New Dark Tequila malware campaign found targeting Mexico

• The cybercriminals conducting the campaign are looking to steal financial information and login credentials to popular websites.
• The Dark Tequila malware comes with a multi-payload package and only runs on a targeted system when specific conditions are met.

A new complex and sophisticated malware campaign called Dark Tequila has been found targeting victims in Mexico. The campaign primarily involves stealing financial information and login credentials to popular websites.

The Dark Tequila malware comes packed with multiple payloads, which are only delivered to a targeted system when certain conditions are met. For instance, the malware does not run if it detects security programs installed and an analysis environment.

The campaign targets customers of several major Mexican banking institutions. The Dark Tequila malware contains comments embedded in the code that are written in Spanish - words that are only used in Latin America.

Modus operandi

According to security researchers at Kaspersky Labs, who discovered the campaign, Dark Tequila has been active since 2013, deliver the malware via either spearphishing or USB devices.

“The threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine,” Kaspersky researchers said in a blog. “The Dark Tequila malware and its supporting infrastructure are unusually sophisticated for a financial fraud operation.”

Dark Tequila malware

The Dark Tequila malware contains multiple modules, which when instructed by the C2 server decrypt and activate. In total, the malware contains 6 modules. The first module is responsible for communicating with the C2 server and verifying if a man-in-the-middle network check is being performed.

The second module is a cleanup module that will only be executed to perform a full system cleanup in the event that “the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background”.

The third malware module is a keylogger and a Windows monitor that is designed to steal credentials from online banking sites and other services. The fourth module is a data-stealer that pilfers saved email and browser passwords. Meanwhile, the fifth module is a USB infector that allows the malware to move offline through the victim’s network. The sixth module is like a malware watchdog, responsible for ensuring that the malware is running smoothly.

“The campaign remains active. It is designed to be deployed in any part of the world, and attack any targets according to the interests of the threat actor behind it,” Kaspersky researchers said.