Kaspersky Lab announced on Tuesday (Aug. 21) that it discovered a sophisticated cyber-operation named Dark Tequila, which has been targeting Mexicans for the past five years. Using malware, the hacker or hackers steals bank credentials and personal and corporate data.
According to a press release from Kaspersky, the malware is spread via infected USB devices, as well as through spear phishing emails that include features to evade detection. The security software company said the suspected actor behind Dark Tequila is thought to be Spanish speaking and Latin American in origin. Kaspersky noted that the malware connected to Dark Tequila is “unusually sophisticated” for financial fraud operations.
“The threat is focused mainly on stealing financial information, but once inside a computer, it also siphons off credentials to other sites, including popular websites, harvesting business and personal email addresses, domain registers, file storage accounts and more, possibly to be sold or used in future operations,” the company said. “Examples include Zimbra email clients and the websites for Bitbucket, Amazon, GoDaddy, Network Solutions, Dropbox, Rackspace and others.”
The security firm noted that the malicious implant contains all the modules that are required for the operation, including a key logger and windows monitoring capability to capture login details and other personal information.
Kaspersky said Dark Tequila has been actively targeting Mexican users since at least 2013. The presence of Spanish words in the code and evidence of local knowledge suggest the threat action is from Latin America.
“At first sight, Dark Tequila looks like any other banking Trojan, hunting information and credentials for financial gain. Deeper analysis, however, reveals a complexity of malware not often seen in financial threats,” said Dmitry Bestuzhev, head of Kaspersky’s global research and analysis team in Latin America. “The code’s modular structure, as well as its obfuscation and detection mechanisms, help it to avoid discovery and deliver its malicious payload only when the malware decides it is safe to do so. This campaign has been active for several years, and new samples are still being found. To date, it has only attacked targets in Mexico, but its technical capability is suitable for attacking targets in any part of the world.”