New banking Trojan - Tatanga

March 4, 2011

SonicWALL UTM Research team received reports of a new banking Trojan named Tatanga in the wild. Spain, Germany, United States & United Kingdom are top countries affected by this Trojan.

This Trojan has many sophisticated features resembling functions found in the popular Crime-ware toolkits Zeus & SpyEye which includes:

  • Encrypted configuration files.
  • Encrypted communication between the bot and the Command & Control server.
  • Dynamic HTML injection affecting users of popular browsers like IE, Firefox, Chrome, Safari etc.
  • Disables AV applications.
  • Harvests e-mail addresses & other sensitive information.
  • Removes other malware infection specifically Zeus.

Upon infection, the Trojan performs following activities on the victim machine:

  • Injects itself into explorer.exe process and conceals its presence on the system. Logs information related to banking session including credentials & uploads it to a remote server.
  • Drops the following files:
    • %User Application Data%MicrosoftInternet Explorer report.exe <- Copy of itself [ Detected as: GAV: Tatanga.gen (Trojan) ]
    • %User Local Settings%Temp report.dll <- [ Detected as: GAV: Pincav.BAHA (Trojan) ]
    • %User Application Data%Help a.dll
    • %User Application Data%Help d.dll
    • %User Application Data%Help n.dll
    • %User Application Data%Help p.dll
    • DLL files dropped in Help directory are encrypted data files.

  • Attempts to communicate with C&C server via a predetermined list of compromised web sites.
  • screenshot

  • Disables the host Antivirus application.
  • Adds following registry entry to bypass firewall restrictions:
    • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
      Value: "c:windowsexplorer.exe"
      Data: "c:windowsexplorer.exe:*:Enabled:explorer"

Screenshots showing some statistics from control panel used by this banking Trojan:



SonicWALL Gateway AntiVirus provides protection against this Trojan via following signature:

  • GAV: Tatanga.gen (Trojan)