A new variation of the Tinba malware, named Tinbapore, is targeting banks and other financial institutions and placing them at risk of losing millions of dollars.
According to the F5 Networks Security Operations Center (SOC) in Seattle, The attack starts with a spam email containing a malicious download or link. Once installed, the malware sets about stealing log-in credentials and injects malicious code into a user’s browser. In fact, the malware’s main functionality is hooking all the browsers on the infected machine so it can intercept HTTP requests and perform web injections to steal data.
It’s also very persistent: The malware is a rootkit, meaning that by hooking system functions, it has higher system privileges than the user, so it can hide itself from the user’s eyes, making it impossible to remove manually.
As its name suggests, Singapore has been the country most targeted, accounting for 30% of the attacked institutions known to the F5 SOC. Another 20% of the targeted entities are based in Indonesia and 15% are in the US.
This is the fifth variant of Tinba to be identified. Also known as Tinybanker, Zusy, and HµNT€R$, Tinba was first seen in the wild around May 2012. Its source code was leaked in July 2011, and since then it has evolved.
“Cybercriminals have customized the leaked code to create even more sophisticated pieces of malware that are being used to attack a large number of popular banking websites around the world,” F5 Networks researchers explained in the report.
Notably, it uses a domain generation algorithm, which makes the malware much more persistent and gives it the ability to come back to life even after a command and control server is taken down. And, Tinbapore creates its own instance of explorer.exe that runs in the background. The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration).
Photo © Mr. madison khiaopo