Man-in-the-Browser attacks are becoming ever more popular with cybercriminals that seek to plunder bank accounts. The latest in a long string of banking Trojans that aids them to do just that is the Tatanga Trojan.
Like SpyEye, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users,” say S21sec researchers, and warn that it has yet to be detected by most AV solutions. Users that need to be on the lookout are those of various Spanish, UK, German and Portuguese banks.
The researchers say that it is a quite sophisticated piece of malware that uses rootkit techniques to hide itself. Its configuration file is encrypted, as well as the communication between the Trojan and its control panel.
Its various modules perform tasks such as blocking the resident AV solution from performing, removing other malware families, grabbing e-mail addresses and performing HTML injections.
“Depending on the targeted bank, the trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction in the user session,” the researchers explain.
Sometimes, the requested credentials include the OTP mobile key and the information is shared willingly by the users thanks to specially crafted messages containing very effective social engineering techniques (click on the screenshot to enlarge it):
The communication from the Trojan to the control panel passes through a number of compromised sites. The Trojan is effective with various browsers: IE, Firefox, Chrome Safari, Opera and several others.
Among other functionalities of the malware are 64-bit support and scraping of online banking pages aimed at improving the injected code.