Dark Tequila

What is Dark Tequila?

Malware researchers have recently become aware of a new malicious application. It has received a name Dark Tequila. The infection is not exactly new. The thorough analysis carried out by malware researchers has clearly shown that Dark Tequila has been active since 2013. We can only imagine how many users it has already affected, but since it is capable of replicating itself like a worm, it is very likely that thousands of users have already fell victim to it. It is not that easy to find out about the successful entrance of this infection, so we do not blame those users who find out about its successful infiltration only when they realize that some financial information and login credentials have been stolen from them. Dark Tequila uses sophisticated evasion techniques in order not to get caught. Specifically speaking, it has been observed by specialists that it uses UPX and Yoda crypter to avoid detection. Of course, it does not mean that it is impossible to find out about its presence on the system. You just need to perform a scan with a diagnostic antimalware scanner. If malware is detected, make sure you erase it ASAP. Do not forget that it has infiltrated your computer to steal sensitive information!

What does Dark Tequila do?

Dark Tequila has features of both a worm and a keylogger. The primary goal of the infection is to steal sensitive information and login credentials, so if you ever encounter this infection, serious problems linked to your privacy might arise in no time. It is already known that Dark Tequila targets Bitbucket, Amazon, GoDaddy, Dropbox, Rackspace, Zimbra email, and Microsoft Office 365, but it is no doubt not a full list of services. Security specialists say that users living in Mexico must be the most cautious of all because it seems that Mexican users are its main target. If the victim’s geographic location extracted from an IP address shows that he/she does not live in Mexico, and/or there are malware analysis tools installed on the system, it deletes itself immediately. According to malware researchers, it does not mean that this threat cannot be used to steal information from users living in other countries as well.

Where does Dark Tequila come from?

There is nothing really extraordinary about the distribution of Dark Tequila. Specialists say that it is mainly spread via phishing emails and USB flash drives. As has been observed by specialists, it copies itself to the attached USB flash drive immediately after the successful installation. Dark Tequila drops only one file on affected computers (csrss.dll) and three different files on the attached USB flash drive (autorun.exe, pictures.exe, and autorun.inf). It does not seem to be a sophisticated malicious application at first glance, but it is, believe us. Research has shown that it has 6 different modules, which is surely quite unique. The first one is responsible for communication between the affected computer and the C&C server. The second one checks for unusual activity, e.g. running on a virtual machine and performs a system cleanup if something suspicious is found. The third module is a keylogger. It logs victims’ keystrokes in order to steal sensitive information and login credentials. As for the fourth module, it extracts login credentials. The fifth one it is responsible for infecting more computers via USB flash drives. Finally, the last module is set to maintain the normal behavior of Dark Tequila. The threat will not remove itself from your PC automatically after some time, so make sure you take care of it yourself ASAP if it has turned out that it has affected your system.

How to remove Dark Tequila

The removal of a single file (%WINDIR%\csrss.dll) is what you need to do to erase Dark Tequila from the system. Of course, it will not be enough to do that if the USB flash drive was attached to your PC at the time of the successful malware entrance. In this case, you will have to take care of three additional files as well. It is a must to clean the affected USB flash drive – you will infect another computer with malware if you connect that USB stick to it.

Dark Tequila removal guide

  1. Press Win+R and then insert %WINDIR% into the box. Click OK.
  2. Delete the file named csrss.dll.
  3. Remove autorun.exe, pictures.exe, and autorun.inf from the affected USB flash drive.
  4. Right-click on your Recycle Bin and then click Empty Recycle Bin. 100% FREE spyware scan and
    tested removal of Dark Tequila*

Stop these Dark Tequila Processes:


Leave a Comment

Enter the numbers in the box to the right *