Tatanga: a new banking trojan with MitB functions

Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users. Its detection rate is very low, and the few antivirus engines that can detect it yield a generic result.

The trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software. The modules are the following:

  • ModEmailGrabber: It gathers e-mail addresses.

  • Coredb: It manages the trojan's configuration. The corresponding file is encrypted with the algorithm 3DES.
  • Comm Support Library: This module implements the encryption of the communication between the trojan and the control panel.
  • File Patcher: The function of this module is not clear yet. It is suspected that it is in charge of the propagation across folders containing multimedia, zipped or executable files.
  • Spyeye using MitB to make fraudulent transactions

    Recently our e-crime team has discovered that Spyeye is using Man in the Browser (MitB) techniques in order to make fraudulent transactions. Thanks to MitB cybercriminals can make the transactions in the same banking online session as the real user, therefore they can do it in a quickly and clean way. I say clean because in the logs of the online banking application there won't be more IPs than the real user ones. It means less proofs in an hypothetical court against the bad guys, for example.

    The whole MitB core was written in Javascript and the actions performed to make the fraudulent transaction are the following:

    • When the user goes to the accounts details screen the information (account number, type of account and balance) of all of them are grabbed and sent to the malicious server in a serialized array:

      ["maxCheck" = ["name" = "MY_ACCOUNT_NAME",
                 "check" = "MY_ACCOUNT_NUMBER",
                 "sum" = $$$],
      "allChecks" = [ 0 = ["name" = "MY_ACCOUNT_NAME",
      "check" = "MY_ACCOUNT_NUMBER",
      "sum" = $$$]


    • From all the possible accounts it's chosen like preferred the one with more money (maxCheck array).
    Syndicate content