Tatanga is a new banking Trojan with man-in-the-browser (MitB) capabilities that injects HTML into all web browsers and uses rootkit techniques to hide its presence. Banks in Spain, the United Kingdom, Germany and Portugal have been affected by this malware, as detected by S21Sec.
A new banking Trojan named Tatanga has been discovered by the e-crime unit of Spanish security firm S21Sec. The malware has Man in the Browser (MitB) features and, like SpyEye, can perform automatic transactions, impersonate the balance of users' accounts and banking operations.
According to S21Sec researchers, the Tatanga Trojan is written in C++ and uses rootkit techniques to hide its presence, although, at times, its files are visible. "The Trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected into the browser or other processes to avoid detection by antivirus software," they write on the corporate blog.
Apparently, this banking malware has attacked online banking users in Germany, Portugal, Spain and the United Kingdom. "Like other Trojans in its class, it uses an encrypted configuration file. This file is in XML format and has an element for each affected country." "Depending on the target bank," they continue, "the Trojan can passively acquire the credentials or request them in order to undertake fraudulent transactions during the user session."
Tatanga can inject HTML into all popular browsers: Explorer, Firefox, Chrome, Opera, Safari, Minefield, Maxthoon, Netscape, and Konqueror.
At the moment, the detection rate of the Tatanga Trojan "is very low", point out the experts of S21Sec "and few antivirus engines can detect it".
Author: IDG.es
Source: CSO Spain
