Tatanga, a new banking trojan in action

Tatanga is a new discovered banking trojan affecting almost all Windows browsers : Internet Explorer, Mozilla Firefox, Google Chrome, Safari for Windows, Opera, Maxthon, Netscape and Konqueror. The trojan is written in C++ programming language and uses rootkit technologies in order to hide its files. The targeted banks are located for now in: Spain, United Kingdom, Germany and Portugal but it is expected to be seen an extended range of action in the near future as the trojan has a very poor antivirus detection rate.
It can perform automatic transactions with the stolen banking credentials spoofing the real balance and banking operations of the users and try to avoid antivirus detection by injecting its code in the browser, Windows explorer or other legitimate processes.
The technology used by Tatanga trojan is the so called “Man in the Browser”(MitB in short), in fact it is very similar to HTML forms injections used by Zeus or Spy Eye banking trojans, hooking the dll functions used by the browsers.
Once a computer is infected, the trojan will download additional encrypted modules: a configuration file, an email adresses grabber, a module used to encrypt the communication with the server(XOR encryption), a module able to remove other banking trojans as Zeus, a module for annihilating the installed antivirus and a module used for HTML forms injection in the browser. The modules are decrypted in RAM memory to avoid the antivirus detection and afterwards are injected in the browser process space.
As the features, Tatanga supports 32 and 64 bits operating Windows systems, it has anti-debugging and anti-virtual machine codes and functions to prevent Trusteer Rapport from being downloaded. Seven malware domains are used to act like proxies between the infected machine and Command & Control server in order to hide the real hackers IP adresses.
Source : http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html

Keep safe !

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *