A series of cyberattacks attempting to steal financial information and login credentials from Mexican users, that hve been ongoing for at least five years, Kaspersky Lab says.recently discovered complex malicious campaign has been
As part of the campaign, the attackers deliver a multi-stage payload to their victims, but only if specific criteria are met. For example, no infection is performed if a security suite is installed on the victim’s machine or if the malicious code detects it is being executed in an analysis environment.
Dubbed Dark Tequila, the malicious campaign targets the customers of several Mexican banking institutions, but also attempts to compromise login credentials to popular websites, including code versioning repositories and public file storage accounts and domain registrars.
According to Kaspersky, some comments embedded in the code were written in the Spanish language and use words only spoken in Latin America, suggesting that the threat actor behind it is Spanish-speaking and Latin American in origin. The attackers use spear-phishing and infected USB devices for infection.
“The threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine,” Kaspersky explains.
Both the Dark Tequila malware and the infrastructure used as part of the campaign are highly sophisticated compared to typical financial fraud operations, the security firm reports.
“At first sight, Dark Tequila looks like any other banking Trojan, hunting information and credentials for financial gain. Deeper analysis, however, reveals a complexity of malware not often seen in financial threats,” said Dmitry Bestuzhev, head of Global Research and Analysis Team, Latin America, Kaspersky Lab.
The malicious implant has a modular design and contains all of the components needed to perform the malicious operation, with the attackers being able to decrypt and activate different modules remotely. The stolen information is sent to the attackers’ server in encrypted form.
A total of six modules were observed being used in this campaign. The first module is responsible for communication with the command and control server, while the second cleans up the system if virtualization or debugging tools are detected.
The third module acts as a keylogger and can steal information from various banking sites, flight reservation systems, Microsoft Office 365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
The fourth module is an information stealer that targets saved passwords in browsers and email and FTP clients, the fifth is a USB infector that copies an executable file to a targeted removable drive (thus allowing the malware to move offline, like a worm), while the sixth module is a service watchdog that makes sure the malware is running properly.
“The code’s modular structure, as well as its obfuscation and detection mechanisms, help it to avoid discovery and deliver its malicious payload only when the malware decides it is safe to do so. This campaign has been active for several years and new samples are still being found. To date, it has only attacked targets in Mexico, but its technical capability is suitable for attacking targets in any part of the world,” Bestuzhev added.
Related: Evasive Malware Now a Commodity
Related: Necurs Campaign Targets Banks