An active financial malicious campaign dubbed “Dark Tequila” heavily targeting Mexico since at least 2013 has been recently analyzed by the Kaspersky Lab researchers. According to reports, the malware primarily aims at stealing sensitive information, including but not limited to financial data, login credentials to popular websites, domain registers and file storage accounts.
Five operational modules have been identified by the researchers within the multistage payload, spread via spear-phishing or infected USB devices. The supporting infrastructure reportedly proved to be “unusually sophisticated” and the payload activates only if certain specific technical conditions are met. All the stolen data is then encrypted and uploaded to the C2 server.
The campaign was considered to be against Mexican institutions since the malware has a mechanism that will uninstall itself if the system is not in Mexico or the host infected is a “casual” infection. The target list retrieved from the final payload of the malware also contained the names of several Mexican banking institutions and some of the comments in the code were written in Spanish.
Proficio Threat Intelligence Recommendations:
- Refrain from opening email from unknown senders and insert USB keys of unknown origin.
- Deploy a SPAM filter that detects malicious attachments
- Always make sure antivirus, software and operating systems are up-to-date.
General Information – Click Here