Symantec security researcher Hon Lau published an article detailing a new banking Trojan called Tatanarg that puts a novel twist on the standard data-stealing malware exploit.
Traditional banking Trojans typically intercept data as it is communicated between the victim and their bank's portal, then transmit the data to the attacker.
More advanced methodologies employ a "man-in-the-browser" (MITB) technique that harvests data in real time and works to overcome encryption and multifactor authentication defenses.
As Lau explains, Tatanarg is component-based and downloads several processes to enable the Trojan to perform multiple tasks which include:
- Killing other threats such as the Zeus Trojan. You may recall Trojan.Spyeye also had a functionality to kill Zeus Trojans. Zeus is clearly not only under attack from antivirus software but also from other malware, too.
- Disrupting security software - this is relatively common in many malware samples.
- Modifying HTML in the browser - this may be used to inject extra fields into authentication forms during login, for example.
- Enables Windows remote access.
Tatanarg not only targets data in sessions subsequent to the infestation, it also steals any data that has been harvested by other malware, potentially yielding a goldmine of information in a comparatively short timespan.
"In addition to being able to just steal information, it also offers a back door, allowing a remote attacker to issue various commands to control the infected computer. Commands range from listing and terminating processes running on the computer, clearing browser cookies, executing arbitrary programs, to rebooting the computer," Lau wrote.
News of Tatanarg follows a recent report by researchers at Trusteer which details another sophisticated new strain of malware called OddJob that is being utilized to hijack online banking sessions.
OddJob allows the attackers to piggyback a legitimate user login and keeping the session open after the victim believes they have safely logged out of the account.
OddJob is somewhat unique in that the attackers use an existing session and ID token to inject transaction commands, as opposed to trojans that steal authentication details to be used in a separate set of fraudulent transactions.
Both Tatanarg and OddJob illustrate the time and resources criminal networks are willing to invest in malware development, as well as the level of technical creativity employed to defeat available defenses.