Español | English
rss facebook linkedin Twitter

Tatanga: a new banking trojan with MitB functions

Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users. Its detection rate is very low, and the few antivirus engines that can detect it yield a generic result.

The trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software. The modules are the following:

  • ModEmailGrabber: It gathers e-mail addresses.

  • Coredb: It manages the trojan's configuration. The corresponding file is encrypted with the algorithm 3DES.

  • Comm Support Library: This module implements the encryption of the communication between the trojan and the control panel.

  • File Patcher: The function of this module is not clear yet. It is suspected that it is in charge of the propagation across folders containing multimedia, zipped or executable files.

  • ModMalwareRemover: Used in the removal of other malware families, including Zeus.



  • ModBlockAVTraffic: It blocks the antivirus application installed in the system.

  • ModDynamicInjection: Related to HTML injections

The modules names ModEmailGrabber and ModMalwareRemover might have been used in a bot in 2008, so maybe this is the result of the evolution of that malware.

Like other trojans of this kind, it uses an encrypted configuration file. This file is in XML format and has a element for each affected country. The code for each country is encoded and has the following format:

^^monitorized_url1~~monitorized_url2||code_replaced_in_legit_webpage||code_to_replace_for


Depending on the targeted bank, the trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction in the user session. In some cases the requested credentials include the OTP mobile key and they success thanks to a good social engineering in their injections:



Seven compromised web sites are hardcoded and act as proxys to the real control panel. Their functions range from data sending to notifying infections and obtaining money mules' accounts. The format of the URLs are the following:

http://hacked_site.com/com/m.php?f=module.dll
http://hacked_site.com/com/c.php
http://hacked_site.com/com/d.php
http://control_panel/srvpnl/upload/module.dll




This malware affects nine browsers, covering almost all Windows users:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome
  • Opera
  • Minefield
  • Maxthon
  • Netscape
  • Safari
  • Konqueror

Some additional functionalities of the trojan:

  • 64-bit support: it injects into explore.exe in 32-bit systems and it's executed as a normal process in 64-bit systems.

  • Anti-VM and anti-debugging techniques

  • Dump online banking pages and send them to the server, probably in order to improve the injected code

  • Weak encryption algorithm in the communication with the C&C based on XOR operations.

  • Commands accepted from the C&C: modinfo, softstat, cmd, stopos, startos, reboot, winkill, die, instsoft, proclist, clearcookies, setlevel, kill

  • Functions to prevent Trusteer Rapport from being downloaded

We have seen lots of comments and test functions, so maybe this is just a test to improve its functions before spreading it. Stay tuned!


Jozsef Gegeny & Jose Miguel Esparza
S21sec e-crime

4 comentarios:

Mark said...

Any chance u could get a sample for analysis please? Isolatedthreat gmail. Thanks!

Griya Mobil Kita said...

Nice article, thanks for the information. rental mobil

butoijoh said...

I absolutely love reading this article, the manner of writing is outstanding.This post as usual was instructive, I have had to bookmark your website and subscribe to this feed in googlereader. this site looks impressive.

mesin fotocopy | rental sound | rumah dijual | perlengkapan bayi | SEO Company | party organizer | parfum

zzz said...

real not simple for "Tatanga: a new banking trojan with MitB functions"

i research and have 40% code it's and info coder

php panel and c++ src ^^

pm skype: seo4loader

if you want see code!


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login