Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users. Its detection rate is very low, and the few antivirus engines that can detect it yield a generic result.
The trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software. The modules are the following:
- ModEmailGrabber: It gathers e-mail addresses.
- Coredb: It manages the trojan's configuration. The corresponding file is encrypted with the algorithm 3DES.
- Comm Support Library: This module implements the encryption of the communication between the trojan and the control panel.
- File Patcher: The function of this module is not clear yet. It is suspected that it is in charge of the propagation across folders containing multimedia, zipped or executable files.
- ModMalwareRemover: Used in the removal of other malware families, including Zeus.
- ModBlockAVTraffic: It blocks the antivirus application installed in the system.
- ModDynamicInjection: Related to HTML injections
The modules names ModEmailGrabber and ModMalwareRemover might have been used in a bot in 2008, so maybe this is the result of the evolution of that malware.
Like other trojans of this kind, it uses an encrypted configuration file. This file is in XML format and has a
element for each affected country. The code for each country is encoded and has the following format:
Depending on the targeted bank, the trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction in the user session. In some cases the requested credentials include the OTP mobile key and they success thanks to a good social engineering in their injections:
Seven compromised web sites are hardcoded and act as proxys to the real control panel. Their functions range from data sending to notifying infections and obtaining money mules' accounts. The format of the URLs are the following:
This malware affects nine browsers, covering almost all Windows users:
- Internet Explorer
- Mozilla Firefox
- Google Chrome
Some additional functionalities of the trojan:
- 64-bit support: it injects into explore.exe in 32-bit systems and it's executed as a normal process in 64-bit systems.
- Anti-VM and anti-debugging techniques
- Dump online banking pages and send them to the server, probably in order to improve the injected code
- Weak encryption algorithm in the communication with the C&C based on XOR operations.
- Commands accepted from the C&C: modinfo, softstat, cmd, stopos, startos, reboot, winkill, die, instsoft, proclist, clearcookies, setlevel, kill
- Functions to prevent Trusteer Rapport from being downloaded
We have seen lots of comments and test functions, so maybe this is just a test to improve its functions before spreading it. Stay tuned!
Jozsef Gegeny & Jose Miguel Esparza