Recently our e-crime unit has detected a new banking trojan, named as Tatanga
, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye
, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users. Its detection rate
is very low, and the few antivirus engines that can detect it yield a generic result.
The trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software. The modules are the following:
Coredb: It manages the trojan's configuration. The corresponding file is encrypted with the algorithm 3DES.
Comm Support Library: This module implements the encryption of the communication between the trojan and the control panel.
File Patcher: The function of this module is not clear yet. It is suspected that it is in charge of the propagation across folders containing multimedia, zipped or executable files.
- ModEmailGrabber: It gathers e-mail addresses.