Sergey Nivens - Fotolia
The financial malware formerly known as Tinba has gone through a few renovations recently and has now re-emerged in the Netherlands as a more sophisticated and better encrypted iteration of the Trojan.
Fobber, as researchers at Malwarebytes have dubbed the antivirus-dodging and information-stealing malware, has been infecting computers via drive-by downloads. Dutch security firm Fox-IT discovered that Fobber was an evolution of the Tinba malware discovered in 2012.
According to the Malwarebytes research, the Fobber code is distributed through malicious websites that are masked by URL shorteners. Fobber uses interstitial advertisements to infect dated versions of Internet Explorer (IE) and dated Flash Player plug-ins on both IE and Mozilla Firefox. A popular exploit kit called HanJuan is used to drop the Fobber payload onto the disk.
"It wasn't just a repackaging of the same code in a different shape -- it was actually new features," Jerome Segura, senior security researcher at Malwarebytes, said. "Primarily, it's better encryption [of the payload] and also an evolved format called WebInject. They're modules that are injected in your browser."
An example of this, Segura explained, is a prompt that appears to be from the banking site one has logged on to but is actually performed by the WebInject to cull some user information without alarming the user. WebInject can perform account transactions and change the display to hide the fact that funds have been transferred.
Another difference in this evolution of Tinba is its shellcode use.
"Tinba v2 uses a shellcode to perform most of its actions," Jose Miguel Esparza, lead threat analyst at Fox-IT InTELL, said. "In the previous version the code was decrypted in order to be executed and it was kept decrypted afterwards. This new version re-encrypts the executed code to avoid its detection using signatures, for instance, and making more difficult the analysis."
Esparza also noted a modification in the domain generation algorithm (DGA).
"The DGA seed used to be the first four bytes of the RC4 key, but now it is a hardcoded value, not related with the key," he said. "One of the constants used to calculate the domains has been changed, too."
The rest of the functionality, according to Esparza, is the same. Fobber still uses RC4 and RSA, as well as static configuration to collect some users’ POST requests and send them to the command & control server.
Outdated versions of IE and Firefox are at risk of the Flash exploit. Chrome is not affected, Segura said, because it comes with a built-in Flash player that updates automatically and is more complicated to exploit due to its robust sandbox.
And while Tinba was a universal threat, Segura's team noticed that all of the Fobber infections were contained in the Netherlands, leading them to believe the attack was targeted. Malwarebytes said it has not observed the Fobber malware stealing any banking credentials yet, and that this may be because the new version is still in its early stages.
"Perhaps the bad guys behind this were preparing this new malware and testing it locally to see how it was doing before taking it mainstream," Segura said.
Or, according to Segura, the attack may be limited because the developers made a conscious decision to limit the spread to a location where such exploits are effective. America has been more aware recently to attempts of cybercrime, due to well-publicized breaches.
"There seems to be more fertile ground over there for testing these banking Trojans," Segura said. "I think there was a switch generally to Europe, when it comes to banking malware in recent times."
Find out how the Dyre malware is using anti-sandboxing techniques to avoid detection