14 DAY TRIAL // Spanish security firm S21sec has identified a new banking trojan capable of injecting HTML into all popular browsers which uses a rootkit to hide its components.
Dubbed Tatanga, the trojan is written in C++ and is organized in modules with different functionality which are decrypted in memory as needed.
Like other banking trojans, Tatanga executes Man-in-the-Browser (MitB) attacks in order to perform unauthorized transactions from the accounts of its victims.
The trojan currently targets banks from Western European countries, particularly the United Kingdom, Germany, Spain and Portugal.
It currently has a very low detection rate. A signature-based Virus Total scan reveals that only 9 in 43 antivirus engines currently detect the infector as malicious and most of them do it under generic names.
Microsoft calls it Trojan:Win32/Mariofev.B and has first added detection for it on September 03, 2010. However, the definition was updated a week ago, probably to account for new variants.
According to S21sec researchers, the trojan comes with an email harvesting module, one that handles encrypted communication, another for the removal of competing trojans, including ZeuS, a module for blocking antivirus programs, one handling the encrypted configuration file, the HTML injector, and a file patcher whose purpose is yet to be determined.
"The modules names ModEmailGrabber and ModMalwareRemover might have been used in a bot in 2008, so maybe this is the result of the evolution of that malware," the researchers write.
This might explain why Microsoft calls this version Mariofev.B. The company added detection for a Trojan:Win32/Mariofev.A on Oct 07, 2008.
The trojan talks with the command and control server via seven hardcoded websites that act as proxy, but the communication encryption is very weak.
Tatanga hooks into explorer.exe and can inject HTML in Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Minefield (Firefox dev builds), Maxthoon, Netscape, Safari and Konqueror, basically every popular browser.
Other noteworthy features include support for 64-bit Windows, anti-VM technology, mobile OTP phishing and Trusteer Rapport evasion.