Dark Tequila

The Dark Tequila is spyware that specializes in compromising Mexican banking customers, although its attacks can be effective against other targets similarly. Victims should assume that their Web-browsing accounts' passwords may be collected and take appropriate steps for re-securing them after dealing with any infection. Have a dedicated anti-malware program remove the Dark Tequila while avoiding sharing any USB drives, which this threat may infect.

A Drink with Dire Financial Consequences

An old, but previously unexamined form of spyware is only now becoming the recipient of the cyber-security industry's in-depth analysis. This half a decade old spyware, the Dark Tequila, has maintained a low level of awareness due to its limited in use in highly-targeted campaigns against the customers of Mexican banking institutions. Its features include both generally-applicable, data-collecting functions, and a worm-like USB propagation technique that malware analysts warn could be of use for compromising entire networks.

For the past five years, the Dark Tequila's threat actor has been deploying the Dark Tequila against victims meeting the above parameters while running a self-uninstalling module on any 'inappropriate' systems that the spyware infects by accident. Its infection strategies are using both compromisable USB drives (a second module infects the device automatically, and, through it, other PCs) and phishing e-mail attacks, such as disguised file attachments. The threat actor's motivation is gaining access to both banking credentials and other account logins seemingly.

Malware researchers can confirm the Dark Tequila's using up to four additional modules besides the above two, making for a total of six. The bulk of the features in these remaining components include:

• Maintaining the threat's system persistence (without, of course, alerting the user).
• Handling Command & Control network communications, which also include leveraging MitM attacks for anti-threat analysis purposes.
• Running keylogging attacks that collect keyboard-typed information, particularly, for specific websites, such as banking domains.
• The Dark Tequila's last data-exfiltration component targets saved passwords on a variety of applications and accounts, such as FTP storage and e-mail.

Setting Down the Dark Web's Shot Glass

The Dark Tequila's choice of targets is at the preference of its criminal admin, and not a technical limitation or a hard-coded feature of its payload. Because the Dark Tequila can compromise multiple PCs by exploiting shared USB devices, any victims should be cautious about using a potentially infected USB without taking appropriate precautions. As a general, preemptive security guideline, malware experts also encourage disabling USB auto-run features, which the Dark Tequila may abuse during its installation efforts.

While the Dark Tequila is fully capable of uninstalling itself under the direction of its C&C orders, victims shouldn't assume that the threat actor will do so. Symptoms of the Dark Tequila infections are negligible, and most users should depend on appropriate anti-malware products warning them of the presence of this threat. Update your anti-malware programs' threat databases for deleting the Dark Tequila as accurately as possible, and change any passwords or related credentials that it may have passed into the threat actor's possession.

The Dark Tequila is a high-level and sophisticated threat that demonstrates how long a criminal can maintain his cover, merely by choosing his targets carefully. Even though the Dark Tequila's campaign is high-specific in scope, its prerequisites for a victim may change at any point, putting the information of users outside of Mexico in equal danger.