“Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell,” writes ESET malware researcher Jean-Ian Boutin.
Gataka has an architecture similar to SpyEye, he says, “in that several plugins can be downloaded to add more functionality.” It is such modularity that is proving popular among cybercriminals, allowing new functions and tailored attacks. With Gataka, this modularity is combined with an automated patch process. “When communicating with the C&C,” explains Boutin, “the client provides a list containing all its installed plugins and their versions. The server can then send updated or new plugins to the Trojan. In one of Win32/Gataka’s campaigns that we followed, we observed updates to the main component every 2-3 days while the plugins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software.” Just as OS patching seeks to avoid attacks, malware patching is evolving to avoid detection.
The company has also been tracking a number of separate Gataka campaigns to study its use. Two of them have been targeted against German and Dutch banks. More details on the German attack have been provided by Trusteer: “In the background, Tatanga [ie, Gataka] initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from.”
The Dutch bank campaign is similar (the Dutch site PC Web Plus has an example screenshot showing an attack against the ING bank); it seeks to persuade the infected user to input a Transaction Authorization Number (TAN). The user is told that the TAN sent by SMS is effectively for testing purposes – but in reality it confirms a hidden transaction secretly extracting funds and sending them to a criminal money mule.
The bottom line to all this is that Gataka is increasingly more sophisticated – and increasingly more likely to be adopted by future cybercriminals.