Watch out! Trojan Tinba is back and it’s after your money


F5 Networks has found a variation of the financial trojan Tinba in the wild which is now going after banks in Asia. It's been dubbed Tinbapore in recognition of its origins. 

In a research paper published by F5, the company said that about 30 percent of infections are located in Singapore and 20 percent in Indonesia, followed by a further 10 percent in India.

According to F5, financial institutions in Asia and the Pacific region are not the only ones at risk. The malware has also targeted institutions in Europe, Middle East and Africa as well as the Americas. However, it is clear that the majority of attacks target financial institutions in APAC.

Carrying many names such as Tinybanker, Zusy and HµNT€R$, when Tinba was first seen in the wild in May 2012, it was the first bite-size 20kb bank trojan.

Researchers at F5 said, “Newer and improved versions of the malware employ a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control server is taken down."

“This new variant of Tinba, Tinbapore, now creates its own instance of explorer.exe that runs in the background. It differs from most previous versions in that it actively targets financial entities in the Asian Pacific (APAC), which was previously uncharted territory for Tinba.”

Ilan Meller, global security operations centre (SOC) manager at F5 Networks, said F5 detected Tinbapore in November 2015. Since then it has "put millions of US dollars at risk". 

An F5 investigation revealed that Tinbapore is actually a new variant of Tinba malware. "The original Tinba malware was written in the assembly programming language and was noted for its very small size - around 20kb including all Webinjects and configuration. The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll and user32.dll. Its main functionality is hooking all the browsers on the infected machine so it can intercept HTTP requests and perform web injections.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.