“Tequila Botnet” Targets Mexican Users

We recently received a report of a new phishing attack that originated from Mexico. It takes advantage of the controversial news about an allegedly missing four-year-old girl, Paulette Gebara Farah, who was later found dead in her own bedroom.  On investigation we found that this attack came from a Mexican botnet and that it was trying to steal banking / financial related information from users.
Online banking is widely used in Latin America, and this attack is another example of Cybercriminals targeting the online banking community in an effort to extort money and sensitive financial information. 
Users who are following the said news may fall prey to this attack by visiting the page http://www.knijo.{BLOCKED}0.net/fotografias-al-desnudo-de-la-mama-de-paulette.htm, which contains an article about Paulette and claims to show nude photos of her mother. When a user accesses this page, a fake dialog box pops up and requests the user to download and install Adobe Flash Player.

Clicking Run leads to the download of the file video-de-la-mama-de-paulette.exe, which is actually the client program of a bot detected by Trend Micro as TSPY_MEXBANK.A.
During our investigation, we were able to access the botnet’s command-and-control (C&C) interface and to learn about its management functions. We were able to enter the management interface and to see for (continue reading...)