New Type of Trojan Steals Login Info & May Usher in a New Wave of Cyber Attacks

A new banking trojan, nicknamed “Tinba” (Tiny Banker) has been discovered by researchers.  Tinba utilizes a simple strategy–encompass as small an existence as possible.  Surprisingly small (20 KB), Tinba’s capabilities are just about as formidable as much larger malware.

Its chief objective is to burrow into browsers and then steal login information.  But, it is also able to, according to PCWorld, “use ‘obfuscated’ (i.e disguised) web injection and man-in-the-browser to attempt to finesse two-factor web authentication systems.”

PCWorld elaborates:

“A particularly interesting feature is the way it tries to evade resident security, injecting itself into the Windows svchost.exe and explorer.exe processes, as well as Internet Explorer and Firefox to give itself access to traffic passing through those.

The malware connects to one or more of four command & control domains on an RC4-encrypted channel.”

The actions of this trojan are not unusual–it’s been done before many times over, but its miniature size is what sets this particular piece of malware apart from the others.  It is the work of a developer who is clearly of the opinion that in terms of malware, the smaller the better.  Furthermore, the low detection rates among antivirus programs raises concerns that this technique could usher in a new wave of diminutive malware attacks.

Tinba is similar to “old-school viruses” written in x84 assembler a couple of decades ago.  Actual infection levels are not known, however banking malware is typically invisible until someone is actually victimized by it.

CSIS goes into further detail:

“As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below.

Tinba uses typical MiTB tricks and injects itself into legitimate processes such as iexplore.exe and firefox.exe. When successfully injected, Tinba reads settings from the configuration files (cfg.dat and web.dat) and intercepts and manipulate traffic through several browser APIs.”

For more information on Tinba, please click here.