Recently a sophisticated strain of banking malware campaign, named Dark Tequila has been spotted in the Mexican Financial market, targeting the Mexicans with primary purpose of stealing their financial information along with the login credentials to popular websites. These popular sites include code versioning repositories, public storage accounts, and domain registrars, as well.
According to some researchers, the malware campaign went undetected since at least 2013 and that is why considered as one of the most mature threats of present times. Dark Tequila is a multistage malware that has targeted a long list of online banking sites and online flight booking sites along with Cpanel, Plesk, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Amazon Web Services, Bitbucket, Dropbox, IBM Softlayer, and many others.
In this post, we will discuss how Dark Tequila campaign functions and how can we protect our data from this vulnerability.
Suggested reading – Top 4 Tips to Help Beef Up Your Email Server’s Security
What is Dark Tequila Threat?
Dark Tequila implements complex invasion techniques and thus the level of its sophistication is unusual for financial fraud schemes. The delivery of the malware is dependent upon certain technical conditions. The malware is capable to detect the analysis environment of the website and its relevant security solutions. Initially, an advanced keylogger is delivered to the victim’s site to monitor and control all its operations. If the information retrieved from the victim’s system is useful, then the attacker proceed with the attack, else the malware is uninstalled remotely from the system.
Dark Tequila follows a modular structure which primarily includes these 6 modules:
- Module 1: This module is responsible for the communication with the command and control server. It helps in verifying the man-in-the-middle network check being performed by validating the certificate of the victim website with other popular websites.
- Module 2: Clean Up- If any suspicious activity is detected in the environment, such as some file running on the virtual machine or debugging tools running in the background, the service will execute Module 2 to perform a full cleanup of the system. This will remove the persistence service along with any file created previously on the system.
- Module 3: Keylogger and Windows Monitor- this module is specifically designed to steal the credentials from long listed online banking sites, generic Cpanel, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes Clients, Zimbra Email, Amazon and many others.
- Module 4: Information Stealer: This module is designed to steal saved passwords in emails and FTP clients and from web browsers.
- Module 5: The USB Infector: This module is used for copying executable files to a removable drive that runs automatically. This helps the malware to move towards victim’s network even being offline or only one machine initially being compromised via spear-phishing. As soon as another system gets connected to the infected USB, the malware gets transferred to that specific system and spreads the malware towards another target.
- Module 6: Malware Monitoring: This module makes sure the malware is running properly into the victim’s system.
Suggested reading – 5 Advantages of Barracuda Email Security for Your Business
These modules are inserted in the main sample and the sensitive pieces of information are extracted during the analysis process. Imagine the amount of loss a company would suffer if the enterprise level mailing server, such as Zimbra or Microsoft Office 365 gets compromised dues to Dark Tequila threat. However, till date, there is no such existing vulnerability in Zimbra exploited by Dark Tequila, but just as other email services/clients, Zimbra is expected to be on the target radar of this malicious campaign.
So here are some of the best practices for every end-user to protect themselves and their enterprises from stolen credentials:
- Use strong passwords, unique phrases for every service. Never share or reuse passwords.
- Do not open suspicious emails, or links and avoid phishing scams.
- Use multi-factor authentication
- Consider using the most efficient antivirus software on every device of your enterprise.
Final Words: Do not forget that the Dark Tequila threat remains active and chances of it being deployed in any part of the world are very high. It is capable to attack any target intended by the threat actor who deploys it. Worried about your enterprise data? Avail cloud backup and server backup solutions from i2k2 Networks. Contact us at +91-120-466-3031 / +91-971-177-4040 or drop us an email at firstname.lastname@example.org.