“Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell,” writes ESET malware researcher Jean-Ian Boutin.
Gataka has an architecture similar to SpyEye, he says, “in that several plugins can be downloaded to add more functionality.” It is such modularity that is proving popular among cybercriminals, allowing new functions and tailored attacks. With Gataka, this modularity is combined with an automated patch process. “When communicating with the C&C,” explains Boutin, “the client provides a list containing all its installed plugins and their versions. The server can then send updated or new plugins to the Trojan. In one of Win32/Gataka’s campaigns that we followed, we observed updates to the main component every 2-3 days while the plugins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software.” Just as OS patching seeks to avoid attacks, malware patching is evolving to avoid detection.
ESET provides a list of currently available Gataka plug-ins, including Interceptor (examines all inbound and outbound network traffic), WebInject (injects JavaScript into web pages visited) and SocksTunnel (for anonymous browsing).
The company has also been tracking a number of separate Gataka campaigns to study its use. Two of them have been targeted against German and Dutch banks. More details on the German attack have been provided by Trusteer: “In the background, Tatanga [ie, Gataka] initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from.”
The Dutch bank campaign is similar (the Dutch site PC Web Plus has an example screenshot showing an attack against the ING bank); it seeks to persuade the infected user to input a Transaction Authorization Number (TAN). The user is told that the TAN sent by SMS is effectively for testing purposes – but in reality it confirms a hidden transaction secretly extracting funds and sending them to a criminal money mule.
The third campaign monitored by ESET is one against a major US newspaper. It uses a very basic brute force JavaScript routine to attempt to brute force usernames and passwords. “This is a rather weird usage of the HTTP injection capabilities and one that might produce low return on investment,” notes Boutin, “but it certainly highlights the capabilities of the malware and the creativity of its bot master or of anyone who might be renting the botnet from the bot master.” It could also, of course, be a proof-of-concept test for a more sophisticated brute forcing module in the future.
The bottom line to all this is that Gataka is increasingly more sophisticated – and increasingly more likely to be adopted by future cybercriminals.