Trojan.Tatanarg.B Careful!

There was a recent report on the Opera forums that users were encountering strange certificate behavior when visiting particular services over secured network connections, specifically HTTPS. This occurred while using online banking, webmail services, and social networking sites. Upon further investigation, we discovered a Trojan was intercepting the HTTPS connections, namely Trojan.Tatanarg.B.

Trojan.Tatanarg.B works by installing a proxy in the browser to intercept HTTPS connections by providing its own self-signed certificate to users, in effect revealing all the encrypted traffic between the user and the secure service. The Trojan specifically targets Firefox, Opera, Maxthon, and Internet Explorer. Once the proxy is installed the attacker can sniff important details, make changes to the traffic on the fly, and in most cases this is pretty transparent to the user, depending on which browser you are using.
 

Figure 1. Opera gives the user the clearest indication that something is afoot
 

Infection Vector

We are aware of two methods that Trojan.Tatanarg.B is using to install itself. The first method is through an Exploit Kit—one of which we have identified as BlackHole. This can be used as part of a drive-by-download or through a spear-phishing email.

The other method is through an email with a malicious attachment. Here is an example email sent on May 17 that originated from a Russian mail server containing a Trojan that downloads Trojan.Tatanarg.B.
 

Figure 2. Example email sent May 17
 

Components

Trojan Tatanarg.B is made up of two main components: a back door component and a proxy component. The components are stored on disk, compressed with bzip2, and XOR encrypted.

The back door component (CommuniFork.dll) has the following functionality:

  • Install botnet module (and other modules using module IDs)
  • Setup autorun scripts and query existing autorun scripts
  • Browse files on the compromised computer
  • Collect system information
  • Connect to a remote location
  • Download and execute additional files
  • Get bot ID
  • Load a module
  • Modify a Web browser home page
  • Remotely stop and start the server or client
  • Run a Web browser
  • Run shellcode
  • Start the back door component as a server or client
  • Store bot-provided URLs in the registry

The proxy component (CeptorFork.dll) intercepts traffic over HTTP and HTTPS using the self-signed certificate to sniff the HTTPS traffic.
 

Distribution

Tatanarg.B, unlike the infamous Trojan.Zbot (Zeus), has a far more targeted client base. This is probably for a few reasons. For one, anyone can get their hands on the Zeus source code if they know where to look for it to configure and distribute it, whereas Tatanarg.B appears to be created from a single source, which we can identify from the debug strings found in the various .dll components.
 

Figure 3. Infections of Tatanarg.B are present in Scandinavia, Germany, the Netherlands, and Italy

 

Compile Time Debug String
Aug. 2011   X:\fbi\x27\Work\prj\svnmain\Projects\mr.lyle2\CeptorFork\Release\CeptorFork.pdb
Sep. 2011 X:\fbi\x27\Work\prj\svnmain\Projects\mr.lyle\CommuniFork\Release\CommuniFork.pdb
Nov. 2011 C:\projects\astbase\mr.lyle2\CeptorFork\Release\CeptorFork.pdb
Jan. 2012   C:\projects\astbase\mr.lyle2\CommuniFork\Release\CommuniFork.pdb
Apr. 2012 C:\projects\astbase\Projects\HermesCore\Release\HermesCore.pdb

Examining the debug strings, the ‘svmmain’ string suggests that the project is an ongoing development and that the author uses version control. The author has also updated the main communication module from CommuniFork to HermesCore.

This Trojan has been around since at least early 2011, and the recent wave of infections and the longevity of the Trojan indicate that it remains a profitable enterprise for the author, who continues to develop and target users in Europe. Rest assured that we will continue to monitor developments.