Dubbed Dark Tequila, the campaign delivers an advanced keylogger malware that managed to stay under the radar for five years due to its highly targeted nature and a few evasion techniques.
Dark Tequila has primarily been designed to steal victims' financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.
The list of targeted sites includes "Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services," the researchers say in a blog post.
The malware gets delivered to the victims' computers in the first place either via spear-phishing or infected USB devices.
Once executed, a multi-stage payload infects the victim's computer only after certain conditions are met, which includes checking if the infected computer has any antivirus or security suite installed or is running in an analysis environment.
Besides this, "the threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim's machine," the researchers say.
The Dark Tequila malware basically includes 6 primary modules, as follows:
- 1. C&C – This part of the malware manages communication between the infected computer and the command and control (C&C) server and also responsible for monitoring man-in-the-middle attacks to defend against malware analysis.
- 2. CleanUp – While performing evasion techniques, if the malware detects any 'suspicious' activity—like running on a virtual machine or debugging tools—it performs a full cleanup of the infected system, removing the persistence service as well as forensic evidence of its presence.
- 3. Keylogger – This module has been designed to monitor the system and logs keystrokes to steal login credentials for a preloaded list of websites—both banking as well as other popular sites.
- 4. Information Stealer – This password stealing module extracts saved passwords from email and FTP clients, as well as browsers.
- 5. The USB Infector – This module replicates itself and infects additional computers via USB drives. It copies an executable file to a removable drive that runs automatically when plugged to other systems.
- 6. Service Watchdog – This module is responsible for making sure that the malware is running properly.
According to the researchers, the Dark Tequila campaign is still active and can be deployed in any part of the world to attack any target "according to the interests of the threat actor behind it."
To protect yourself, you are recommended to always be vigilant of suspicious emails and keep a good antivirus solution to protect against such threats before they infect you or your network.
Most importantly, avoid connecting untrusted removable and USB devices to your computer, and consider disabling auto-run on USB devices.
