Recently, a sophisticated strain of banking malware campaign named Dark Tequila has been spotted in the Mexican Financial market, targeting Mexicans with the primary purpose of stealing their financial information and the login credentials to popular websites. These popular sites include code versioning repositories, public storage accounts, and domain registrars.
Researchers have discovered a malware campaign called Dark Tequila that has been operating undetected since at least 2013. This campaign is considered one of the most mature threats of present times. Dark Tequila is a multistage malware that targets a long list of online banking and flight booking sites, as well as various other platforms, including Cpanel, Plesk, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Amazon Web Services, Bitbucket, Dropbox, and IBM Softlayer.
This post will discuss how the Dark Tequila campaign works and how to protect our data from this vulnerability.
Suggested reading – Top 4 Tips to Help Beef Up Your Email Server’s Security
What is the Dark Tequila Threat?
Dark Tequila is a type of malware that uses sophisticated invasion techniques beyond typical financial fraud schemes. The malware is delivered based on certain technical conditions, and it can detect the targeted website's security solutions and analysis environments. Upon installation, an advanced keylogger is deployed to monitor and control all operations of the victim's system. If the information obtained is useful, the attacker proceeds with the attack. If not, the malware is uninstalled remotely from the system.
Dark Tequila has a modular structure that consists of 6 main modules:
- Module 1: This module communicates with the command and control server. It helps verify the man-in-the-middle network check being performed by validating the certificate of the victim's website with other popular websites.
- Module 2: Clean Up- If any suspicious activity is detected in the environment, such as some file running on the virtual machine or debugging tools running in the background, the service will execute Module 2 to clean the system fully. This will remove the persistence service and any previously created files.
- Module 3: Keylogger and Windows Monitor- this module is specifically designed to steal the credentials from long-listed online banking sites, generic Cpanel, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes Clients, Zimbra Email, Amazon, and many others.
- Module 4: Information Stealer: This module is designed to steal saved passwords in emails, FTP clients, and web browsers.
- Module 5: The USB Infector: This module is used for copying executable files to a removable drive that runs automatically. This helps the malware move towards the victim’s network, even if it is offline or only one machine is initially compromised via spear-phishing. When another system connects to the infected USB, the malware gets transferred to that specific system and spreads the malware to another target.
- Module 6: Malware Monitoring: This module ensures the malware runs properly into the victim’s system.
Suggested reading – 5 Advantages of Barracuda Email Security for Your Business
These modules are inserted in the main sample, and the sensitive information is extracted during analysis. Imagine a company's loss if the enterprise-level mailing server, such as Zimbra or Microsoft Office 365, gets compromised due to the Dark Tequila threat. However, to date, no such vulnerability in Zimbra has been exploited by Dark Tequila. Still, just like other email services/clients, Zimbra is expected to be on the target radar of this malicious campaign.
So here are some of the best practices for every end-user to protect themselves and their enterprises from stolen credentials:
- Use strong passwords and unique phrases for every service. Never share or reuse passwords.
- Do not open suspicious emails or links, and avoid phishing scams.
- Use multi-factor authentication
- Consider using the most efficient antivirus software on every device of your enterprise.
Final Words: Do not forget that the Dark Tequila threat remains active, and chances of it being deployed in any part of the world are very high. It can attack any target intended by the threat actor who deploys it. Are you worried about your enterprise data? Avail cloud backup and server backup solutions from TECH GURU. Contact us at +91-8800567676 or drop us an email at [email protected]