Win32/Gataka is a banking Trojan that affects German banks, Dutch banks and a US newspaper. Win32/Gataka eases bogus bank transfers. Win32/Gataka has the same architecture as SpyEye in that a few plugins can be downloaded to add more functionality. Win32/Gataka is developed in C++ and is overly verbose in both the debug strings in its binaries and the amount of logging information that is transmitted back to the C&C. When activated, Win32/Gataka first inserts itself into the process called ‘explorer.exe’ and then continues on its installation. Win32/Gataka inserts all running processes and hooks the particular APIs ‘CreateProces’ and ‘CreateProcessAsUser’ for controlling process spawning. Before deleting the original dropper, Win32/Gataka will first copy it to a file in the Application Data folder following a predefined random behavior. In order to be persistent, Win32/Gataka adds a value to the specific registry key, pointing to the executable that was set in the Application Data folder. Win32/Gataka then proceeds to encrypt the original executable using a XOR key and saves it in the Application Data folder. The path to this encrypted file is kept in the specific registry key value, which is also XOR encrypted. When installed, Win32/Gataka will attempt to connect to the command-and-control (C&C) server by starting ‘iexplore.exe’, inserting it with a malevolent code and then sending encrypted POST requests.
How Can You Detect Win32/Gataka?