New banking Trojan – Tatanga (Mar 4, 2011)
SonicWALL UTM Research team received reports of a new banking Trojan named Tatanga in the wild. Spain, Germany, United States & United Kingdom are top countries affected by this Trojan.
This Trojan has many sophisticated features resembling functions found in the popular Crime-ware toolkits Zeus & SpyEye which includes:
- Encrypted configuration files.
- Encrypted communication between the bot and the Command & Control server.
- Dynamic HTML injection affecting users of popular browsers like IE, Firefox, Chrome, Safari etc.
- Disables AV applications.
- Harvests e-mail addresses & other sensitive information.
- Removes other malware infection specifically Zeus.
Upon infection, the Trojan performs following activities on the victim machine:
- Injects itself into explorer.exe process and conceals its presence on the system. Logs information related to banking session including credentials & uploads it to a remote server.
- Drops the following files:
- %User Application Data%MicrosoftInternet Explorer report.exe <- Copy of itself [ Detected as: GAV: Tatanga.gen (Trojan) ]
- %User Local Settings%Temp report.dll <- [ Detected as: GAV: Pincav.BAHA (Trojan) ]
- %User Application Data%Help a.dll
- %User Application Data%Help d.dll
- %User Application Data%Help n.dll
- %User Application Data%Help p.dll
DLL files dropped in Help directory are encrypted data files.
- Attempts to communicate with C&C server via a predetermined list of compromised web sites.
- Disables the host Antivirus application.
- Adds following registry entry to bypass firewall restrictions:
- Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windowsexplorer.exe”
Data: “c:windowsexplorer.exe:*:Enabled:explorer”
- Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windowsexplorer.exe”
Screenshots showing some statistics from control panel used by this banking Trojan:
SonicWALL Gateway AntiVirus provides protection against this Trojan via following signature:
- GAV: Tatanga.gen (Trojan)