14 DAY TRIAL // Security researchers at Avast have documented a case where the Trojan is delivered to the potential victim through an email that poses as a legitimate debt notification. It targets banks in the Czech Republic.
Back in 2012, when it was first reported, Tinba recorded high activity in Turkey, but the current malicious campaign may be conducted by different operators.
Jaromir Horejsi of Avast says that recently the spam campaigns against customers of Czech banks have become more intensive and that, in one of the latest attacks, potential victims were targeted through well-crafted fake messages luring them to launch a malicious file attached to the message.
In the sample provided by the researcher, the debt amount is of $730 / €540, which includes all the “taxes.” The operators behind the campaign created a very persuasive message, which includes real addresses of distrainors.
This social engineering tactic is designed to incite the potential victim to look for more information about the issue, details being conveniently included in the attachment file, which is a heavily obfuscated malware dropper.
As a result of the analysis of the malware, it was discovered that, besides downloading the banking malware from a command and control server, the malicious file also opens an RTF file that contains the details about the purported debt, thus masking the actual infection of the machine.
Tinybanker malware communicates with the remote servers in an encrypted way, using the RC4 cipher with a hard-coded password.
After the recent discovery of the leaked source code for a 2012 version of Tinba banking Trojan, also known as Tinybanker or Zusy, on an underground forum, it was only a matter of time until the malware was leveraged in new attacks.
It is unclear if the cybercriminals use a different variant of the malware than the one whose code was leaked, but the hard-coded password is the same as in the 2012 malware strain. If this is indeed a new type of Tinba, the modifications are not significant, Horejsi said via email.
The configuration file lists Ceska Sporitelna, CSOB, Era and Fio Czech banks as the targets and the infostealing activity is conducted through web injects in the web page of the bank.
These are downloaded from command and control (C2) domains hosted on a server in France. However, the domain names (picapicanet.net and picapicachu.com) have two different registrars with addresses in China.
Horejsi notes that the web injects come in an RC4-encrypted configuration file that is compatible with tools used with other banking Trojans, such as SpyEye and Carberp.
It appears that the cybercriminals want to cover all angles and know that some banks enforced two-factor authentication (2FA) to make sure that only the owner had access to the account.
As such, they lure the potential victim into downloading a fake mobile app to be used for 2FA. This is achieved by displaying a message in the browser asking for two-factor authentication and providing links to a mobile solution called OTPDirekt.
The researchers have discovered that variants for Android, Windows Phone, Blackberry and iPhone are provided, but the download option is implemented only for Google’s OS.
Horejsi told us that Avast saw an infection rate of 3,000 unique IPs every hour and that behind the attack could be a Russian organization, as the phone number set to receive the 2FA codes was located in the region of Astrachan, in the southern part of Russia.