Tinba 2.0 banking trojan now hitting Russian banks

Dell SecureWorks' Counter Threat Unit has found hackers using the Tinba 2.0 banking Trojan targeting Russian financial institutions, businesses hackers have tended to avoid in the past.

Tinba 2.0, also known as Tiny Banker, and its handlers are taking the unusual step of attacking Russian banks and payment service providers, Dell researchers said in a report. This is a major change in tactics compared to when Tinba 2.0 and the original Tinba botnet kit hit the wild in 2014. Then, the malware was specifically designed to avoid Russian infecting banks - the malware would uninstall itself if it detected the Cyrillic alphabet on the system it was attacking, Dell said.

“Historically, security researchers have found that many of the masterminds behind some of the most pervasive banking trojans and other money-making malware (such as spam bots) tend to be from Russia, Ukraine or Eastern Europe. And similarly, we have seen very few of these bank trojans and other families of malware target Russian computer users,” Dell said in its report.

However, the on-going military conflict between the Ukraine and Russian-armed separatists could be the reason why hackers are switching targets, Dr. Brett Stone-Gross, Dell's counter threat unit senior security researcher told in a Wednesday email.

“Russian banks may be more of a target now because of the recent conflict between Ukraine and Russia, which has opened the door for threat groups in those countries to launch attacks against each other without the risk of legal prosecution,” said Stone-Gross

One reason cited for the hacker's earlier hands off approach is that Russian police will move in on one of its citizens found hacking a domestic organization, said Stone-Gross, unlike when they go after Western targets.

“Russian law enforcement has been much more likely to take legal action against Russian citizens that are behind attacks when they are targeting Russian individuals and organizations. The risk of prosecution is far lower for a Russian cybercriminal that targets a financial institution in the U.S., U.K., and Western Europe,” Stone-Gross said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.