Tiny Tinba malware gets tough, new variants infect European banks

News by Doug Drinkwater

Researchers at IBM Security Trusteer say that new and nasty variants of the Tinba Trojan, said to be the world's smallest malware, are emerging, and they're targeting European banks.

Writing on the company's Security Intelligence blog earlier today, product and risk management expert Ori Bach gave an overview of how the ‘tiny banker' malware, which was first discovered in 2012 when it was the smallest Trojan in circulation with a file size of just 20kB, has been spreading ever since its source code was publicly leaked in July 2011.

He says that gangs have subsequently been able to rework and tweak the ready-made malicious code at no extra cost, while citing the firm's own evidence last September that there were ‘several' campaigns launching Tinba attacks around the globe. These variations, says Bach, sported “significant improvements to the original code.”

Eight months on, and IBM Security Trusteer researchers have gone onto discover a new Tinba infection campaign targeting Poland, Italy, the Netherlands and Germany. Nearly half of recognised incidents were focused on Poland (45 percent), with Italy a distant second (21 percent). Websense confirmed Poland as the number one infected country in an email to SC.

The number of UK incidents is unknown, although one source said the malware would likely to be targeting banks in the City. Towards the end of last year, Avast researchers found that a variant was infecting US and global banks, including Bank of America, JP Morgan Chase, HSBC and ING, via the Rig Exploit Kit.

After infection, Tinba comes into action when the user tried to log into one of the targeted banks. The malware's webinjects are launched, and victims may see fake messages and web forms asking for log-in credentials, personal information or permission to transfer funds. The notice may even attempt to convince users that money has been added to their account accidentally, and thus must be refunded to the bank immediately.

However, creators of the latest variant, wary perhaps of law enforcement takedowns and hijacking, also incorporate new fall-back mechanisms to make sure the botnet remains intact. Safeguards include public key signing – so bot commands and updates only come from authorised botmaster, bots authenticating the updating server before accepting a new configuration, a "machine-dependent encryption layer" for each bot to prevent security researchers from spoofing bots, bots communicating with hard-coded resource URLs and fall-back to DGA-made URLs when necessary.

As well as this additional resilience, and increased size (commentators now say new variants are up to 200kB in file size), the malware also sees the threat actors change focus away from US banks, and towards European banks. 

“Cyber-criminals such as the Dyre gang have been able to overcome language barriers and adapt their tactics to attack local banks," reads the IBM Trusteer blog post. While this trend may prove a challenge to many banks who have not yet hardened their defences, it also provides an opportunity for those institutions to take advantage of the lessons learned having combated this malware elsewhere.”

Bach later told SCMagazineUK.com: "We see attackers constantly evolving their attack techniques to ensure their success. They go where the money is and where they can be successful. In this campaign, fraudsters must adapt the malware for the countries they're targeting. This includes modifying it for language specificity, adapting its inner workings for local banking security measures, adding a mobile component to steal SMS authentication, and more. "

Chris Boyd, malware intelligence analyst at Malwarebytes, said in an email to SC:

“Tinba combines a light footprint with advanced techniques - protection against others taking control of the bot network works equally as well against scammers trying to swipe profits as it does researchers trying to shut a network down. Additionally, the fraudulent "you have overpaid" messages are right out of the spear phishing playbook, and likely to fool most people viewing it.

“We hear so much about banking threats in relation to Brazil and the US that European-centric attacks tend to get glossed over - this is a timely reminder that no bank customer is 100 percent safe from the possibility of being targeted. It's an indicator of the fact that criminals continue to learn from the commercial world, which has figured out that localisation is a good way of convincing people to download and click on things.”

Marco Morana, managing director of Minded Security UK, and SVP of risk and controls for Citi Bank London, said in conversation with SC earlier that security teams shouldn't be chasing new malware families. “Rather we should approach this on a risk-based approach, based on threat modelling,” he said.

He said this attack was proof that the actors behind Tinba are “not just going after consumers, but commercial banks too. They're going after the big money for fraud.”

Giorgio Fedon, co-founder and senior security consultant at Minded Security, expanded upon Mortana's points in an email to SC.

“The fast pace re-engineering of banking malware by fraudsters requires a new approach toward malware detection that is risk-centric not banking family signature-centric. Today we are talking about of less than of one hundredth types of families of banking malware that are a copy in features of previous strain of banking malware like in the case of Tinba (short for TinyBanker).  What makes Tinba special are the techniques of web-inject that are used to lure victims with social engineering messages as well as the evasion techniques such as checking the mouse movements and the active window that the user is working to bypass sandboxing.

“To be effective against malware banking threats the focus of malware detection and account take over fraud prevention must be on the threat and the risk and not the malware family itself. The risk of malware depends from risk factors such as the type of browser supported, the fact that the drop zone is active and analysis that the malware might able to bypass banking layered defences with a threat model.”

Kevin Epstein, VP of advanced security and governance at Proofpoint, said in an email to SC: “Originally valued for its small size, which made it a faster and less detectable download into target computers, cyber-criminals have increasingly ‘armoured' Tinba over the last year with anti-takeover functionality, designed to ensure it remains in contact with its controllers. 

“Such measures re-emphasise the need for additional enterprise defences, beyond endpoint detection – such as targeted attack protection to disrupt the delivery vector, and automated threat response to block communications ports post-infection.”

Lamar Bailey, director of security R&D at Tripwire, added: that there have been several advances in the effectiveness of the malware since the source code leak,  including 64-bit adoptions and signing of the code.  

"The latest more effective mutations have happened more recently and this Trojan has become more popular. The most interesting feature is the Domain Generated Algorithm phone home feature which allows the malware to use backup command and control (C&C) channels if the original servers have been taken down by law enforcement.  

"If the hardcoded command and control channels are not responding the malware will use a predefined algorithm to general domain names looking for the backup servers and when it finds a match the malware can disclose the banking credentials collected and download updates.  The malware can generate thousands upon thousands of these domains to find active backup command and control servers making it nearly impossible to shutdown all the servers. This ability allows the attackers to pop up sites for very short periods of time then remove them and choose another domain before they are discovered."

Bailey added that encryption mechanisms have been hardened to reduce the chances of law enforcement spoofing communications, and says that the malware is also being used to target specific banks with pre-load configurations to mimic bank websites. 

Carl Leonard, principal security analyst at Websense, said: "This attack is indicative of the trend we are seeing in malware authors using simple but aggressive techniques to access rich data within the banking industry. We don't see this vulnerability slowing down as the Tinba infrastructure is also being used for hosting C&C for other malware.

"Ultimately banking customers will always be a target for all threats and threat agents because of rich data - banks therefore need to ensure they have real-time detection and protection across the kill chain as a necessity."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews