Kaspersky Lab has discovered a sophisticated cyber-operation named Dark Tequila that has been targeting users in Mexico for at least the last five years, stealing bank credentials, personal and corporate data with malware that can move laterally through the victim computer while offline. According to the researchers, the malicious code spreads through infected USB devices as well as spear-phishing emails and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.

The Dark Tequila malware and its supporting infrastructure are unusually sophisticated for financial fraud operations. The threat is focused mainly on stealing financial information, but once inside a computer, it also siphons off credentials to other sites, including popular websites, harvesting business and personal email addresses, domain registers, file storage accounts and more, possibly to be sold or used in future operations. Examples include Zimbra email clients and the websites for Bitbucket, Amazon, GoDaddy, Network Solutions, Dropbox, RackSpace and others.

The malware carries a multi-stage payload and is distributed to users through infected USB devices and spear-phishing emails. Once inside a computer, the malware makes contact with its command server in order to receive instructions. The payload is delivered to the victim only when certain technical network conditions are met. If the malware detects an installed security solution, network monitoring activity or signs that the sample is being run in an analysis environment, such as a virtual sandbox, it stops the infection routine and clears itself from the system.

If none of these are found, the malware activates the local infection and copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.

The malicious implant contains all the modules required for the operation, including a key-logger and windows monitoring capability for capturing login details and other personal information. When instructed to do so by net command server, different modules decrypt and activate. All stolen data is uploaded to the server in encrypted form.

Dark Tequila has been active since at least 2013, targeting users in Mexico or connected to that country. Based on Kaspersky Lab’s analysis, the presence of Spanish words in the code and evidence of local knowledge suggest the threat actor behind the operation is from Latin America.

“At first sight, Dark Tequila looks like any other banking Trojan, hunting information and credentials for financial gain. Deeper analysis, however, reveals a complexity of malware not often seen in financial threats,” said Dmitry Bestuzhev, head of Global Research and Analysis Team, Latin America, Kaspersky Lab. “The code’s modular structure, as well as its obfuscation and detection mechanisms, help it to avoid discovery and deliver its malicious payload only when the malware decides it is safe to do so. This campaign has been active for several years and new samples are still being found. To date, it has only attacked targets in Mexico, but its technical capability is suitable for attacking targets in any part of the world.”

Kaspersky Lab products successfully detect and block Dark Tequila-related malware.

Kaspersky Lab advises all users to take the following measures to protect themselves from spear-phishing and attacks through removable media such as USBs:

  • Check any email attachments with anti-virus security before opening
  • Disable auto-run from USB devices
  • Check USB drives with anti-virus security before opening
  • Don’t connect unknown devices and USB sticks to a device
  • Use a security solution with additional robust protection against financial threats

Businesses are also advised to ensure that:

  • If they are not required for business, block the USB ports on user devices
  • Manage the use of USB devices – define which USB devices can be used, by whom and for what
  • Educate employees on safe USB practices, particularly if they are moving the device between a home computer and a work device
  • Don’t leave USBs lying around or on display