Operator aims at European users, mostly in Poland

Jun 9, 2015 12:49 GMT  ·  By

A new variant of Tiny Banker (Tinba) Trojan was identified in a campaign last month, serving victims a bogus message about an accidental money transfer to their account.

The malware was first spotted in mid-2012 and with just 20KB in size, it quickly made a name as the smallest banking Trojan ever released. In July 2014, Tinba’s source code was leaked, spurring cybercriminals to create new variants.

Odd request for money transfer

Researchers from IBM Security found a fresh version in May that targets bank customers in Poland, Italy, the Netherlands and Germany, most of the infections being recorded in the first two countries on the list, accounting for 45% and 21%, respectively.

Like most banking Trojans, Tinba uses the man-in-the-browser (MitB) tactic for dynamic injection of fake content into the online banking session and to collect the account credentials and security codes.

However, the latest variant found by the researchers also appeals to social engineering to trick the victim into transferring money to the cybercriminals or to provide the much coveted information.

According to IBM Security, one of the messages shown to the victim informs that someone transferred money to their account by mistake and an immediate refund is requested. Furthermore, action has been taken to block access to the account until the error is corrected.

The message also claims that if the transfer is legitimate, the victim has to prove it by providing documentation to the nearest branch of the bank. Obviously, the goal here is to steer the victim towards refunding the money, which would also lift the restriction to access the account.

Older tricks are still efficient

The researchers say that the Tinba piece they identified comes with a set of features designed to protect the botnet from being disrupted. Some of these measures were highlighted by IBM Security in September 2014.

One of them consists in implementing public key signing of messages to make sure that commands and updates come from an authorized botmaster. Another refers to authenticating the update server before accepting a new configuration file.

To prevent researchers from impersonating an infected machine, the author of this Tinba version added a machine-dependent encryption layer.

Protection for the command and control servers is achieved via a domain generation algorithm (DGA), used as fallback when machines at the hard-coded IPs cannot be accessed.