Win32/Gataka - or should we say Zutick?

Jump to navigation Jump to search

(Publication) Google search: [1]

Win32/Gataka - or should we say Zutick?
Botnet Gataka, Zutick, Tinba
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / 2012-11-30
Editor/Conference ESET
Link (Archive copy)
Author Jean-Ian Boutin


Win32/Gataka is an information-stealing Trojan that has been previously discussed on this blog here and here. Recently, we came across a post from its author on an underground forum trying to sell his creation. The post contained a help file detailing the inner working of this threat. This blog post will highlight some of the most interesting part of this help file.

First off, it is interesting to note that the malware author is trying to sell the kit under the name Zutick. The asking price is $3,300 for both the control panel and builder. The documentation states that this Trojan works with all versions of Windows (32- and 64-bit) and its installation and operation doesn’t require administrative rights. It offers many plugins that facilitate the stealing of sensitive information, mainly through injection of arbitrary content into the compromised host browser. More information on the techniques used by this malware to intercept user content can be found here. The documentation states that all major browsers are supported: Internet Explorer, Firefox, Chrome, Opera and Safari.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1257,
   editor = {ESET},
   author = {Jean-Ian Boutin},
   title = {Win32/Gataka - or should we say Zutick?},
   date = {30},
   month = Nov,
   year = {2012},
   howpublished = {\url{}},