A malware campaign designed to steal financial information and log-in credentials for a variety of popular online services has been secretly endangering Mexican users since at least 2013, researchers from Kaspersky Lab's Global Research & Analysis Team (GReAT) is warning.
Dubbed Dark Tequila, the multi-stage, highly modular malware has been infecting its victims primarily via spear phishing scams as well as compromised USB drives, Kaspersky reported in a blog post. The final payload specifically targets users of specific Mexican financial institutions, as well as web hosting control panels cPanels and Plesh, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace and other services.
Kaspersky has identified six modules, the first of which handles communication with the command-and-control server, which in turn remotely controls the other modules, instructing them decrypt and activate. "It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites," Kaspersky has reported.
Other modules include a combination keylogger and Windows Monitor, which is designed to steal credentials from the aforementioned services, and an information stealer that swipes saved passwords from email and FTP clients, as well as browsers. The stolen data is then uploaded to the C&C server in encrypted form.
Yet another module is designed to remove any traces of Dark Tequila if it detects any clues that it could be running in a research environment. According to Kaspersky, the crafty malware is wise to virtual machines and anti-bugging environments, as well as machines with installed security suites, and therefore will only become fully functional if it determines it is safe to operate.
A fifth module is the USB infector, which allows Dark Tequila to spread to additional machines by copying the malware to removable drives that are physically inserted into the affected system. Finally, a sixth module ensures that the malware is running as it should.
Despite the malware campaign's Mexican focus, "It is designed to be deployed in any part of the world, and attack any targets according to the interests of the threat actor behind it," the blog post concludes.