The Tinba Banker Trojan has spread to a growing number of financial institutions, researchers at AVAST Virus Lab have discovered.
A variant of Tiny Banker (Tinba), which was first seen infecting computers in Turkey and then in the Czech Republic, has been fine-tuned to zero in on U.S. banks and worldwide, including Bank of America, JPMorgan Chase, HSBC and ING, AVAST researchers David Fiser and Jaromir Hořejší found when analyzing the Tinba Trojan payload distributed by the Rig Exploit Kit (Flash or Silverlight).
“We have seen Tinba target financial institutions of smaller countries in the past, e.g. Czech Republic campaigns in the spring/summer of 2014 and a Turkish campaign in 2012,” Hořejší, senior malware analyst at AVAST, told SCMagazine.com in a Tuesday email correspondence. “This time it is now targeting more global institutions in Australia, Europe and the U.S.”
Once a user with a vulnerable system visits a website infected with the kit, the exploit executes a malicious code that downloads and sets aptly named Tinba trojan (it's only 20K in size) into motion.
“There are many other Trojans with similar capabilities, however, Tinba is very small in size…and its source code leaked some time ago,” Hořejší said.
When users try to log into a targeted bank's website from an infected computer, Tinba Trojan injects an HTML form into that site that victims are asked to fill out with personal information. Instead of being sent to the bank, of course, the sensitive information makes its way to the attackers.
This variant differs from the one aimed at Czech users in that “the payload was encrypted with a hardcoded RC4 password,” the researchers explained. The latest iteration required “a few more steps” to uncover, they said.
After locating a folder where the banking Trojan was installed, they found an executable file and an encrypted configuration file. Using aplib decompression, the researchers were able to view the configuration file in plaintext and from there, see that it was aimed at financial institutions around the globe.
“The configuration files have one more layer of encryption compared to the Czech campaign we analyzed,” Hořejší said. “The Czech campaign was spread via email, whereas this time it is being spread via an exploit kit.”
Hořejší called the decryption of the Tinba variant “interesting, because it lets us know what organizations are targeted.” He urged users to be careful what websites they visit and to not give out personal information.
“Modified websites ask for more information than banks would usually ask for,” he explained. “If you log in to your online baking account and your bank suddenly asks for your credit card number and PIN, something is wrong.”