Fifth Version of Tinba Trojan Expands to Target Asian Banks

Posted on

Tinba is a well-known banking trojan that has been wreaking havoc among users in the past five years, ever since its source code was leaked online.

Through time, the trojan, also known as Tinybanker, Zusy or HµNT€R$, has had four major versions. In a report from F5 Labs, the cyber security vendor is announcing a fifth version, one that has received special updates so it can target banks from the APAC (Asia-Pacific) region, a territory in which Tinba hasn’t been very active until now.

This fifth version, named Tinbapore, doesn’t differ too much from the previous versions and still works in the same way.

It infects users through spam, it goes on to gain boot persistence via a rootkit, it initiates conversations with a C&C server after scanning and collecting data from the victim, and then goes on to hijack the user’s browsers.

Whenever the user accesses a Web-based banking portal or Web-based payments system, the malware will use Web injection techniques to insert malicious JavaScript code in the page, and collect the user’s credentials and other financial information. This data is later used for making fraudulent transactions.

More than half of Tinbapore infections were recorded in the APAC region

Differences from previous versions include the usage of a domain name generation algorithm that makes it harder for security researchers to track down its C&C, and its own separate explorer.exe process that runs in the operating system’s background.

According to F5 researchers, the campaign responsible for spreading this most recent version of Tinba is originating from Russian domain names.

Furthermore, most of its targets are located in Singapore, the country from whose name Tinbapore’s moniker was derived. Second to Signapore’s 30% we find Indonesia with 20%, another APAC country, and also Malaysia with 5%.

“Financial institutions in APAC are not the only ones at risk; the malware has also targeted institutions in the Europe, Middle East, and Africa (EMEA) region and the Americas,” F5 researchers reveal. “However, it is clear that the majority of attacks target financial institutions in Asia and the Pacific.”

The full Tinbapore: Millions of Dollars at Risk is available for download.

Tinbapore geographical spread

Tinbapore geographical spread


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s