Share

Related Links

Related Stories

Top 5 Stories

News

Win32/Gataka: a new banking trojan readies itself

02 July 2012

As if there aren't already enough banking trojans to worry about, with SpyEye and Zeus, Carberp and OddJob, ESET is now warning that Gataka (aka Tatanga) – another man-in-the-browser trojan – appears ready for take-off.

“Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell,” writes ESET malware researcher Jean-Ian Boutin.

Gataka has an architecture similar to SpyEye, he says, “in that several plugins can be downloaded to add more functionality.” It is such modularity that is proving popular among cybercriminals, allowing new functions and tailored attacks. With Gataka, this modularity is combined with an automated patch process. “When communicating with the C&C,” explains Boutin, “the client provides a list containing all its installed plugins and their versions. The server can then send updated or new plugins to the Trojan. In one of Win32/Gataka’s campaigns that we followed, we observed updates to the main component every 2-3 days while the plugins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software.” Just as OS patching seeks to avoid attacks, malware patching is evolving to avoid detection.

ESET provides a list of currently available Gataka plug-ins, including Interceptor (examines all inbound and outbound network traffic), WebInject (injects JavaScript into web pages visited) and SocksTunnel (for anonymous browsing).

The company has also been tracking a number of separate Gataka campaigns to study its use. Two of them have been targeted against German and Dutch banks. More details on the German attack have been provided by Trusteer: “In the background, Tatanga [ie, Gataka] initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from.” 

The Dutch bank campaign is similar (the Dutch site PC Web Plus has an example screenshot showing an attack against the ING bank); it seeks to persuade the infected user to input a Transaction Authorization Number (TAN). The user is told that the TAN sent by SMS is effectively for testing purposes – but in reality it confirms a hidden transaction secretly extracting funds and sending them to a criminal money mule.

The third campaign monitored by ESET is one against a major US newspaper. It uses a very basic brute force JavaScript routine to attempt to brute force usernames and passwords. “This is a rather weird usage of the HTTP injection capabilities and one that might produce low return on investment,” notes Boutin, “but it certainly highlights the capabilities of the malware and the creativity of its bot master or of anyone who might be renting the botnet from the bot master.” It could also, of course, be a proof-of-concept test for a more sophisticated brute forcing module in the future.

The bottom line to all this is that Gataka is increasingly more sophisticated – and increasingly more likely to be adopted by future cybercriminals.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×