Banking Malware Uncovered After 5 Years

Security analysts at Kaspersky Labs have revealed another, complex malware that has been focusing on clients of a few Mexican financing establishments since 2013.

Named Dark Tequila, the advanced keylogger malware remained under the radar for a long time because of its exceedingly focused on a couple of evasion strategies.

Dark Tequila has basically been intended to take victim money related data from a not insignificant list of banking web services and popular websites.

The list of sites includes “Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services,” the analysts in a blog post.

Once executed, a payload infects the machine only after certain conditions are met, which includes testing if the computer has any antivirus or security software installed. In conclusion, “the threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine,” the researchers say.

As it is more precisely evaluated in the article whole malware campaign functions through six modules:

• Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
• Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
• Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
• Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
• Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
• Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.

“Most of the victims are located in Mexico. The campaign has been active since at least 2013, so it is a very ‘añejo’ (mature) product. There are two known infection vectors: spear-phishing and infection by USB device. The threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine.” Said experts from Kaspersky.