Tinba is a well-known banking trojan that has been wreaking havoc among users in the past five years, ever since its source code was leaked online.
Through time, the trojan, also known as Tinybanker, Zusy or HµNT€R$, has had four major versions. In a report from F5 Labs, the cyber security vendor is announcing a fifth version, one that has received special updates so it can target banks from the APAC (Asia-Pacific) region, a territory in which Tinba hasn’t been very active until now.
This fifth version, named Tinbapore, doesn’t differ too much from the previous versions and still works in the same way.
It infects users through spam, it goes on to gain boot persistence via a rootkit, it initiates conversations with a C&C server after scanning and collecting data from the victim, and then goes on to hijack the user’s browsers.
More than half of Tinbapore infections were recorded in the APAC region
Differences from previous versions include the usage of a domain name generation algorithm that makes it harder for security researchers to track down its C&C, and its own separate explorer.exe process that runs in the operating system’s background.
According to F5 researchers, the campaign responsible for spreading this most recent version of Tinba is originating from Russian domain names.
Furthermore, most of its targets are located in Singapore, the country from whose name Tinbapore’s moniker was derived. Second to Signapore’s 30% we find Indonesia with 20%, another APAC country, and also Malaysia with 5%.
“Financial institutions in APAC are not the only ones at risk; the malware has also targeted institutions in the Europe, Middle East, and Africa (EMEA) region and the Americas,” F5 researchers reveal. “However, it is clear that the majority of attacks target financial institutions in Asia and the Pacific.”
The full Tinbapore: Millions of Dollars at Risk is available for download.