Banking Trojan Bypasses Mobile Security with Sophisticated Attack

Sophisticated, Multi-faceted Attack Uses an Man in the Browser Attack to Bypass Transaction Authorization Measures 

Researchers at Trusteer have recently observed a new strategy being deployed by the Tatanga Trojan, which uses multiple attack methods in a single scheme. The attack mixes traditional social engineering with browser hijacking in an attempt to fool the victim into legitimately approving wire transfers.

Tatanga was first discovered in 2011 by S21sec, a security firm headquartered in Spain, with offices in Miami and Houston. At the time, the Trojan was targeting banks in Spain, United Kingdom, Germany and Portugal, and has remained active in those regions since.

“The Trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The Trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software,” S21sec wrote in their initial report on the malware.

From its first attack, Tatanga has remained a hybrid attack platform, using data injected into the browser to show the victim one thing, while telling the web application – in this case the bank – another. For example, earlier this month Trusteer reported on Tatanga promoting fraud insurance to banking customers. At the end of the scheme, the victim thinks they are authorizing account protection, when in fact they were authorizing a transfer of funds.

“Once they have compromised an endpoint, the ability of Tatanga and the other cybercrime platforms to commit online fraud is limited only by the imagination of criminals,” noted Trusteer’s Amit Klein.

On Monday, Trusteer issued a report on the latest scheme being used by Tatanga that appears to be targeting banks in Germany. According to what they’ve learned the attack starts when a compromised system accesses a targeted German bank.

Once the banking application loads, Tatanga uses its browser injection abilities to present a warning that alleges the bank is performing a security check on the victim’s computer and their ability to receive a Transaction Authorization Number (TAN) on their mobile device.

“In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from,” Trusteer explained in a blog post.

“The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account.”

The victim sees the fund transfer displayed on the screen, and the destination account. However, they’re told that it is an experiment and that the funds will not be moved. Obviously, the assurance – just like the cake – is a lie.

“This is a very sophisticated and multi-faceted attack,” Trusteer notes. The injected prompts, when blended with some crafty social engineering and a unassuming victim, translate into the criminals being able to bypass the two-factor authentication used by the bank.

“Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker. This may make it less effective. Clearly, grammar is easy for fraudsters to improve. The fact that they are blending multiple attack methods in a single fraud scam is not good news.”