Dark Tequila

PC security researchers have recently reported a widespread malware campaign that has been active in Mexico since at least 2013. Dark Tequila has been targeting computer users and clients of Mexican banks for several years. Dark Tequila is an advanced Trojan designed to collect information from infected computers. Dark Tequila has managed to avoid being detected since its first inception in 2013 due to its obfuscation and evasion measures and because Dark Tequila attacks have been targeted very specifically. As with most banking Trojans, Dark Tequila is designed to collect the victims' data and designed to target clients of a large number of online banking websites. There are several websites that are targeted by Dark Tequila, including various online accounts that are not banking related, such as Amazon and the Microsoft Office 365. Computer users in Mexico and those that are clients of Mexican online banking websites are strongly advised to take steps to safeguard their online account information.

Some Particularities about the Dark Tequila Infection

Dark Tequila is delivered to the victims through the use of phishing email attachments or by using infected USB external memory devices. Once Dark Tequila has entered the victim's computer, Dark Tequila will determine whether it is running on a virtual environment or if it has managed to infect a real computer. One important aspect of Dark Tequila is that Dark Tequila's attacks are highly targeted and the criminals controlling Dark Tequila monitor every attack. If Dark Tequila is installed on a computer outside of Mexico or was not targeted specifically, criminals will uninstall Dark Tequila. These measures have prevented PC security researchers from being able to study or detect Dark Tequila for at least the five years in which these attacks have been going on.

Dark Tequila's Modular Functions

Dark Tequila, like many other banking Trojans, is structured using different modules, which allows criminals to customize the Dark Tequila attack to their own purposes. The following are the six modules that have been detected in the Dark Tequila attacks:

• Dark Tequila uses a Command and Control server module. This module is responsible for allowing Dark Tequila to communicate with its Command and Control server and monitor different ways in which security researchers might try to intercept Dark Tequila's communications with its Command and Control server.
• Dark Tequila uses a module designed to delete itself from the victim's computer if there is evidence that it has been installed on a computer not targeted in the attack or a virtual environment. This Dark Tequila module will remove all evidence of Dark Tequila's presence on the infected computer.
• Dark Tequila uses a keylogger module designed to track the keystrokes on the infected computer's keyboard when the victim loads a website contained in a list of websites in Dark Tequila's code, typically popular online locations and banking sites. This allows criminals to collect the victim's online passwords and login data.
• Dark Tequila uses an information collecting module that attempts to extract saved information, such as passwords and history, from the victim's Web browsers and other software, such as FTP clients and instant messaging programs.
• Dark Tequila has a module that is associated with one of it's delivery methods. This module allows Dark Tequila to spread to the victim's computer using infected USB external memory devices. It copies a damaged executable file containing Dark Tequila to drives plugged into an infected computer, allowing Dark Tequila to spread from one computer to another.
• Dark Tequila also has a module that monitors the Dark Tequila's activities to make sure that Dark Tequila is running correctly, which can allow the criminals responsible for Dark Tequila to monitor and troubleshoot problems with this sophisticated Trojan.