Tinba, a 20KB trojan that scares banks in Singapore and Indonesia

A new variant of the infamous Tinba banking trojan has emerged in the wild and is targeting financial institutions in the Asia Pacific region.

Even small threats can scare the giants, this is the case of Tinba, a small malware that continues to create serious problems for financial institutions. Tinba is a popular financial trojan, the fifth version is now circulating in the wild targeting banks in the Asia Pacific region.

Tinba is a size 20KB bank trojan first seen in the wild in the mid-2012, in July 2014, security experts at Danish CSIS Security Group discovered that the source code of the Tinba banking trojan was published on an underground forum.

The source code for Tinba banking trojan, aka Tinybanker, has been leaked in the cybercrime ecosystem, the malware is recognized as the smallest banking malicious code in the wild and it is available on an underground forum.

The release of source code in the underground represents a significant milestone in the story of a malware, starting from this event many cyber criminal gangs and authors of malware propose their customized versions or offer the personalization of the code according the requirements provided by others criminal gangs.

In many cases groups of criminals start to provide all the necessary support to conduct cyber attacks based on a specific malware, this model of sale is commonly identified as malware-as-a-service.

Now experts from the security firm F5 have detected the fifth strain of the malware, they dubbed it Tinbapore since it mainly infected machine in Asia.

Nearly 30 percent of the infected machines are located Singapore, 20 percent in Indonesia, only five percent are in Australia.

The new variant Tinbapore has been improved to be more resilient to takeover of law enforcement as explained in a report published by F5.

“Newer and improved versions of the malware employ a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down. This new variant of Tinba, Tinbapore, now creates its own instance of explorer.exe that runs in the background. It differs from most previous versions in that it actively targets financial entities in the Asian Pacific (APAC), which was previously uncharted territory for Tinba.” reads the report. “This new variant of Tinba, Tinbapore, now creates its own instance of explorer.exe that runs in the background.” 

The choice to target financial organization in Asia is a novelty for the Tinba trojan as explained by the experts.

“It differs from most previous versions in that it actively targets financial entities in the Asian Pacific which was previously uncharted territory for Tinba.”

Timbapore is a rootkit, this means that it is able to hook system functions gaining higher system privileges than the user to remain under the radar and making it impossible to remove manually. The report provides a detailed analysis of the malware, including the injection mechanism it implements to inject malicious content into the victim’s browser and capture the logged information.

Enjoy the report.

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Tinbapore, banking trojan)

[adrotate banner=”13″]