Tatanga: a new banking trojan with MitB functions
- ModEmailGrabber: It gathers e-mail addresses.
- Coredb: It manages the trojan’s configuration. The corresponding file is encrypted with the algorithm 3DES.
- Comm Support Library: This module implements the encryption of the communication between the trojan and the control panel.
- File Patcher: The function of this module is not clear yet. It is suspected that it is in charge of the propagation across folders containing multimedia, zipped or executable files.
- ModMalwareRemover: Used in the removal of other malware families, including Zeus.
- ModBlockAVTraffic: It blocks the antivirus application installed in the system.
- ModDynamicInjection: Related to HTML injections
This malware affects nine browsers, covering almost all Windows users:
- Internet Explorer
- Mozilla Firefox
- Google Chrome
Some additional functionalities of the trojan:
64-bit support: it injects into explore.exe in 32-bit systems and it’s executed as a normal process in 64-bit systems.
- Anti-VM and anti-debugging techniques
Dump online banking pages and send them to the server, probably in order to improve the injected code
Weak encryption algorithm in the communication with the C&C based on XOR operations.
Commands accepted from the C&C: modinfo, softstat, cmd, stopos, startos, reboot, winkill, die, instsoft, proclist, clearcookies, setlevel, kill
- Functions to prevent Trusteer Rapport from being downloaded
Jozsef Gegeny & Jose Miguel Esparza