Win32/Gataka is an information-stealing Trojan that has been previously discussed on this blog here and here. Recently, we came across a post from its author on an underground forum trying to sell his creation. The post contained a help file detailing the inner working of this threat. This blog post will highlight some of the most interesting part of this help file.
First off, it is interesting to note that the malware author is trying to sell the kit under the name Zutick. The asking price is $3,300 for both the control panel and builder. The documentation states that this Trojan works with all versions of Windows (32- and 64-bit) and its installation and operation doesn’t require administrative rights. It offers many plugins that facilitate the stealing of sensitive information, mainly through injection of arbitrary content into the compromised host browser. More information on the techniques used by this malware to intercept user content can be found here. The documentation states that all major browsers are supported: Internet Explorer, Firefox, Chrome, Opera and Safari.
The panel offers many features for tracking and management of the botnet. It can automatically send notifications to Jabber and provide a wealth of statistics for each compromised host. Among other things, it is possible to ascertain exactly which software is installed and active on a specific host. The botmaster can also blacklist or whitelist specific processes on a compromised host. Another interesting feature is that a Domain Generation Algorithm (DGA) is available as a fallback mechanism if the C&C URLs hardcoded in the client become inaccessible. The following sections will highlight the most interesting features described in the documentation.
The SOCKS plugin supports SOCKS4, SOCKS5, HTTP and HTTPS protocols. Through this plugin, it is possible to set up a back-connect shell on a compromised host. Screenshots shown below explain how to set up a SOCKS proxy (please note that all comments on the screenshots were only in Russian. We added an English translation in parenthesis for clarity):
Choose the country for the proxy:
Pick the exact bot:
Through the admin panel, the botmaster can send commands to one or multiple bots. The screenshots shown below show how to drop an executable on compromised host(s) and execute it:
Win32/Gataka provides a GUI interface to control a computer remotely through a VNC session. For example, it can control a browser on a compromised host, taking over a secure session. This can be useful in order to impersonate the user so as to perform fraudulent transactions on his behalf. The screenshots below show the steps required for setting up a VNC connection and the GUI interface used to control the remote host.
All webinjects are stored on the C&C server and can be pushed to the bots. The screenshots below show how to manage the import and delivery of the webinjects to the compromised hosts.
List of active webinjects on the C&C panel:
There is also a special function to convert any Zeus compatible webinject to Win32/Gataka format.
As can be seen from the screenshot above, the webinject can instruct the main platform to take videos of the current webpage. It can also store information in registry keys and fetch them later on. This technique can be very handy when performing fraudulent bank transfers in order to save the amount and the account number that was used in the transfer. This technique is depicted in the following webinject file that was downloaded by one of the campaigns we tracked in the last couple of months:
Special thanks to my colleague Aleksandr Matrosov who provided intel for this blog post.
Author Jean-Ian Boutin, ESET