New banking Trojan – Tatanga (Mar 4, 2011)


SonicWALL UTM Research team received reports of a new banking Trojan named Tatanga in the wild. Spain, Germany, United States & United Kingdom are top countries affected by this Trojan.

This Trojan has many sophisticated features resembling functions found in the popular Crime-ware toolkits Zeus & SpyEye which includes:

  • Encrypted configuration files.
  • Encrypted communication between the bot and the Command & Control server.
  • Dynamic HTML injection affecting users of popular browsers like IE, Firefox, Chrome, Safari etc.
  • Disables AV applications.
  • Harvests e-mail addresses & other sensitive information.
  • Removes other malware infection specifically Zeus.

Upon infection, the Trojan performs following activities on the victim machine:

  • Injects itself into explorer.exe process and conceals its presence on the system. Logs information related to banking session including credentials & uploads it to a remote server.
  • Drops the following files:
    • %User Application Data%MicrosoftInternet Explorer report.exe <- Copy of itself [ Detected as: GAV: Tatanga.gen (Trojan) ]
    • %User Local Settings%Temp report.dll <- [ Detected as: GAV: Pincav.BAHA (Trojan) ]
    • %User Application Data%Help a.dll
    • %User Application Data%Help d.dll
    • %User Application Data%Help n.dll
    • %User Application Data%Help p.dll
    • DLL files dropped in Help directory are encrypted data files.

  • Attempts to communicate with C&C server via a predetermined list of compromised web sites.
  • screenshot

  • Disables the host Antivirus application.
  • Adds following registry entry to bypass firewall restrictions:
    • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windowsexplorer.exe”
      Data: “c:windowsexplorer.exe:*:Enabled:explorer”

Screenshots showing some statistics from control panel used by this banking Trojan:



SonicWALL Gateway AntiVirus provides protection against this Trojan via following signature:

  • GAV: Tatanga.gen (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.