New banking Trojan - Tatanga

SonicWALL UTM Research team received reports of a new banking Trojan named Tatanga in the wild. Spain, Germany, United States & United Kingdom are top countries affected by this Trojan.

This Trojan has many sophisticated features resembling functions found in the popular Crime-ware toolkits Zeus & SpyEye which includes:

• Encrypted configuration files.
• Encrypted communication between the bot and the Command & Control server.
• Dynamic HTML injection affecting users of popular browsers like IE, Firefox, Chrome, Safari etc.
• Disables AV applications.
• Harvests e-mail addresses & other sensitive information.
• Removes other malware infection specifically Zeus.

Upon infection, the Trojan performs following activities on the victim machine:

• Injects itself into explorer.exe process and conceals its presence on the system. Logs information related to banking session including credentials & uploads it to a remote server.
• Drops the following files:
  • %User Application Data%MicrosoftInternet Explorer report.exe <- Copy of itself [ Detected as: GAV: Tatanga.gen (Trojan) ]
  • %User Local Settings%Temp report.dll <- [ Detected as: GAV: Pincav.BAHA (Trojan) ]
  • %User Application Data%Help a.dll
  • %User Application Data%Help d.dll
  • %User Application Data%Help n.dll
  • %User Application Data%Help p.dll

  DLL files dropped in Help directory are encrypted data files.

• Attempts to communicate with C&C server via a predetermined list of compromised web sites.



• Disables the host Antivirus application.
• Adds following registry entry to bypass firewall restrictions:
  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
    Value: "c:windowsexplorer.exe"
    Data: "c:windowsexplorer.exe:*:Enabled:explorer"

Screenshots showing some statistics from control panel used by this banking Trojan:

SonicWALL Gateway AntiVirus provides protection against this Trojan via following signature:

• GAV: Tatanga.gen (Trojan)