What is Dark Tequila?

Dark Tequila is a malicious campaign that primarily aims to steal financial information. The campaign has been actively targeting Mexican users since 2013 but has only been noticed recently by researchers at Kaspersky. The campaign, which has been dubbed Dark Tequila, delivers a sophisticated keylogger to the victim’s computer and proceeds to steal financial information from a long list of banking websites. Dark Tequila virus

However, it also steals login details to certain websites, like public file storage and domain registrars. Researchers who discovered the malware campaign note that it spreads via spear-phishing and USB devices. Attackers likely use known company/organisation names to send phishing emails to victims and the lead them to malicious sites, from where malware can then install onto the computer unnoticed. When a USB device is connected to an infected computer, the device also becomes infected and can then spread the malware to other computers.

This highly sophisticated campaign has managed to escape notice for 5 years by using certain evasion techniques. When the malware enters the targeted computer, certain conditions need to be met in order for the multi-stage payload to infect. If an anti-virus program or some other security suite is detected, the malware is uninstalled from the device. This has allowed the malware to evade cybersecurity researchers’ notice for such a long time.

The keylogger installed on a computer can go unnoticed for a long time, as it only installs on systems that do not have security software installed. However, if you install anti-malware software after infection, it does detect it so you can remove Dark Tequila.

How does it spread?

According to Kaspersky, the campaign uses two methods to spread the malware, spear-phishing and USB devices. Spear-phishing is a popular methods among criminals because if it’s sophisticated enough, it can fool even the more security cautious people. What criminals do essentially is, they send out emails to potential victims, pretending to be from legitimate companies/organisations. The emails would look very much like those actually sent by the company but, unknowingly to the user, would contain links to malicious sites. For example, a potential victim may receive an email from their bank, which says that for whatever reason, the user needs to check their online banking account. The email would provide a link, which when pressed would take the user to a seemingly harmless but actually malicious site that would download the malware onto the user’s computer.

This is why users needs to be very careful when pressing on links to emails. If you hover the cursor on the link, it would show the site that it links to, and if it looks even remotely suspicious, do not press on it. If you receive an email from a bank, or any other company, asking you to press on a link, it would be wise to be suspicious. If you are asked to check your account, do so by manually going to your account and not by pressing on the link.

When a USB device is connected to an infected computer, the malware automatically infects the USB, allowing the infection to continue spreading offline.

How does the malware behave?

When the malware is delivered to a computer, it checks for installed security software, whether the computer is running a virtual machine or if there are any debugging tools running the background. If it detects anything unusual, it deletes itself and all its components. It has also been noted that if the infected computer is outside of Mexico, the malware will also remove itself. As soon as a computer is infected and when it has been deemed safe to proceed, the malware contacts its command-and-control (C&C) server for instructions and releases its keylogger payload.

The keylogger works in the background without showing any obvious signs, and proceeds to steal financial information and login credentials. While it primarily aims to steal financial information, it will also take login credentials from a list of targeted sites, which include Microsoft Office 365, Amazon, Dropbox, Zimbra email, GoDaddy, Register, Namecheap, etc. It could steal email addresses, file storage accounts, domain registers and everything that goes with them. Stolen data is encrypted and then transferred to the C&C server.

Kaspersky researchers suspect that the group behind this malware campaign are from Latin America, as the code has words used only in that region.

The malware campaign still seems to be active, and Kaspersky warns that it can be deployed anywhere in the world and can target anyone.

Dark Tequila removal

One of the reasons why keyloggers are so dangerous is because they can operate in the background unnoticed. If you have no security software installed, you might not notice anything unusual until it’s too late. This kind of malware is why having anti-virus software installed is so critical. If you are indeed infected, it would not have happened if you had security software installed. What you need to do now is remove Dark Tequila with anti-virus. It should be detected by most security programs but make sure you use a reliable one. After you uninstall Dark Tequila, proceed to change your sensitive account credentials and check your bank statements for any unusual activity.

The malware is detected by security software as:

  • Trojan.Win32.DarkTequila and Trojan.Win64.DarkTequila by Kaspersky;
  • FileRepMetagen [Malware] by Avast and AVG;
  • a variant of Win32/Kryptik.EBTT by ESET;
  • Trojan.Downloader.FB by Malwarebytes.


More information about WiperSoft and Uninstall Instructions. Please review WiperSoft EULA and Privacy Policy. WiperSoft scanner is free. If it detects a malware, purchase its full version to remove it.

  • wipersoft

    WiperSoft Review Details WiperSoft (www.wipersoft.com) is a security tool that provides real-time security from potential threats. Nowadays, many users tend to download free software from the Intern ...

  • mackeeper

    Is MacKeeper a virus? MacKeeper is not a virus, nor is it a scam. While there are various opinions about the program on the Internet, a lot of the people who so notoriously hate the program have neve ...

  • malwarebytes-logo2

    While the creators of MalwareBytes anti-malware have not been in this business for long time, they make up for it with their enthusiastic approach. Statistic from such websites like CNET shows that th ...


Site Disclaimer

2-remove-virus.com is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.

The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.

Leave a Reply