Delaware, USA – August 22, 2018 – Dark Tequila is a sophisticated modular banking malware targeted at users from Mexico that remained undetected for about five years. Researchers from Kaspersky Lab discovered and analyzed the ongoing malicious campaign. Dark Tequila is designed to steal financial information and credentials to online banking and popular websites including Amazon, GoDaddy, Dropbox and Microsoft Office 365. Malware implements complex evasion techniques that helped it to hide under the radar. The primary way of infection is spear phishing, but this is not the only way to compromise victims’ systems. After infection of the target user, malware checks environment to make sure it is running not on a virtual machine or in a sandbox, and then it downloads from the command & control server and installs other modules. The main module is an advanced keylogger that collects and transfers information to adversaries. The next interesting module is responsible for infecting all connected USB storage devices and further distribution. Also, Dark Tequila has a module responsible for its self-deletion and the removal of all traces if it detects tools for malware analysis or attacker for some reason is not interested in a victim.
Attackers are currently only interested in users of Mexican banks, but malware can easily be modified to attack users of any bank. The campaign continues, and to detect this banking trojan you can use your SIEM with Threat Hunting Framework and File Hash Analitycs rule packs.