Hello Zimbra Friends,
This blog post is to update you on the Dark Tequila malicious campaign and its possible impact on Zimbra users.
Dark Tequila is a complex, malicious campaign targeting Mexican users, with the primary purpose of stealing financial information and login credentials to popular websites (ranging from code versioning repositories to public file storage accounts and domain registrars).
There is not a vulnerability in Zimbra exploited by Dark Tequila. Instead, email services/clients like Zimbra are just one of the many things targeted by Dark Tequila.
The Dark Tequila malware and its supporting infrastructure are unusually sophisticated for a financial fraud operation. Here’s an excerpt from the original post (ref: https://securelist.com/dark-tequila-anejo/87528/) showing just some of the applications and services that are targeted for credential stealing:
“Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.”
Best practices for end-users to protect themselves from stolen credentials include:
- Do not share or reuse passwords – use strong, unique passphrases on every service
- Avoid phishing scams – don’t open suspicious emails, be wary of unexpected emails, verify links before clicking… be paranoid
- Use multi-factor authentication
- Use highly regarded antivirus software on every device you use
Dark Tequila remains active. It can be deployed in any part of the world, and it attacks any target intended by the threat actor who deploys it. Kaspersky Lab detects the campaign as Trojan.Win32.DarkTequila and Trojan.Win64.DarkTequila.
Please warn your end-users.
Your Zimbra Friends and Colleagues