A Souped-Up Tinba Reemerges to Target Global Banks

A new, souped up variant of the Tinba banking malware has popped up in the wild, sporting brand-new functionalities and global ambitions.

According to an analysis conducted by Trusteer researchers Tal Darsan and Julia Karpin, the malware seems to have been assembled from the leaked source code of the original well-known (and sophisticated) Tinba malware, which was made available in July.

The variant still carries out a classic man-in-the-middle (MiTM) attack, but is exhibiting some interesting new features, including techniques to bypass automated security controls and the ability to “phone home,” even if the original command-and-control (C&C) center has been taken down.

Further, the old-school Tinba targeted only a handful of financial institutions; the new-model malware has broadened its scope to include a larger number of banks globally — including in the United States and Canada.

Tinba’s new behavioral changes include, notably, a Domain Generation Algorithm (DGA)-based fallback mechanism for a bot to call home in case the original C&C has been taken down.

“Tinba is joining Gameover Zeus in an attempt to improve communication capabilities with the C&C by having a fallback in the form of a DGA,” the Trusteer researchers noted. “Initially, it attempts to communicate with a hard-coded C&C server, and in case of failure, it starts using one of its fallback-generated domains.”

And, as opposed to previous Tinba strains, the new one comes with a preloaded configuration. “If the browser is launched while the malware was unable to download a configuration [due to no C&C connectivity], the preloaded, hard-coded one will be used instead,” Darsan and Karpin noted.

Other new features include: public key signing as a verification mechanism, guaranteeing that a message could only be sent from an authentic bot herder; advanced encryption methods that include an additional, machine-dependent encryption layer; and user-mode rootkit capabilities, as a means of hiding its traces and evading detection, even from advanced users.

This is not the first time that Tinba (or other banking malware) has been known to change up its tactics, but the source-code leak has spurred greater innovation.

“Since the Tinba source code leak in July, Tinba has been spotted in various locations across the globe with new features and functionality,” the researchers concluded. “This serves as a reminder that cyber-criminals are fully aware of reverse engineers and researchers analyzing their products; they are constantly developing new tactics and methods while attempting to stay under the radar and bypass automated and human security controls.”

What’s Hot on Infosecurity Magazine?