Incident Response, Malware, TDR

Researchers discover Tinba variant with 64-bit support, other tricks

When the source code for Tinba – a banker trojan comprised of 20 KB of code – was made public in July 2014, there was speculation among security professionals that a new version of the malware could make an appearance with some new features.

It turns out the experts were right – researchers with Seculert have discovered a variant of Tinba that better skirts detection, as well as infects more systems, according to a Thursday post by Aviv Raff, CTO of Seculert.

Tinba previously supported 32-bit operating systems and applications, but the addition of 64-bit support has opened the door to new targets, Raff told in a Tuesday email correspondence, adding that popular browsers such as Chrome and Internet Explorer have increasingly become 64-bit.

“64-bit is a class of computer architecture which basically allows the usage of additional computer resources [such as] memory, [and so on],” Raff said. “However, it also requires the operating system and applications to support this architecture. Tinba now added support to inject itself to such applications.”

Because Seculert researchers have observed signed and unsigned executables, it is possible the trojan is being sold as a kit, or as malware-as-a-service, according to the post. Additionally, there is a chance that more than one group is using this Tinba variant.

“The attackers are signing the Tinba version in order to bypass security solutions which assume that signed executables are legitimate,” Raff said, adding that Tinba also dodges detection using a unique domain generation algorithm that makes it easier to create new domains.

The experts at Seculert are still researching the scope of the infection, but have determined that this variant of Tinba is spreading – typically via phishing emails – predominately in Germany and the Netherlands, but also in the U.S., Raff said.

“Tinba is becoming one of the most sophisticated malware families out there,” Raff said. “As we've seen with previous leakage of malware source code, [such as] Zeus becoming Citadel and GameOver Zeus, attackers will for sure create new Tinba versions with additional new "features.”

The purpose of Tinba is to circumvent two-factor authentication, or fool users into providing sensitive data, according to a Trend Micro whitepaper. The malware hooks into browsers and sniffs network traffic, as well as uses man-in-the-browser tactics and web injects to alter web pages.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.