In 2012, security firms uncovered the original version of Tinybanker, or Tinba malware, used to steal banking credentials from users in Europe, the Middle East and Africa. Four iterations later, the Trojan is still running amok. According to SecurityWeek, Tinybanker version five, also known as Tinbapore, was found in November 2015 and predominately targets banks in Singapore and other Asia-Pacific nations. Along with a new name are new features that make the banking Trojan difficult to detect, mitigate and remove.
Small Package, Big Impact
When Tinba was first detected, one notable feature was the program’s size. At just 20 kilobytes, malware-makers managed to pack a huge number of attack features into a very tiny package. Infosecurity Magazine described the Trojan’s infection arc: It typically starts with a malicious email containing an attachment or download link. Once a user opens the file or completes the download, the newest version of Tinybanker opens the winver.exe process, performs an injection and moves to explorer.exe.
Next, it creates a new bin.exe file in the \Application Data\ folder under a randomly generated subfolder and then folds in a host of system functions. More importantly, Tinba hooks into all browsers used on infected machines, allowing it to intercept any HTTP requests and perform webinjections.
That’s a lot for 20 KB, but the code doens’t stop there: Since this Trojan is also a rootkit, it’s able to grab higher permissions than admin users, making it impossible to remove manually. Rootkit abilities also let the program hook into multiple auto-run locations so it runs on Windows startup. It also lowers desktop security settings so it can perform browser injections without alerting users.
As the name suggests, Tinbapore is most active in Singapore, with 30 percent of all infections reported there. But it’s worth noting that 15 percent of all new Tinba attacks are happening on U.S. soil. Bottom line? The malware is small, fast, clever and incredibly hard to detect.
Better or Worse?
Banks are now painfully aware of the threats posed by credential-stealing malware, but according to a recent ZDNet article, they may actually be making the problem worse. Security expert Morten Kjaersgaard noted that Tinba infections now average 1,000 machines per day, while other malware such as Dyreza has seen an uptick in the past few months.
According to Kjaersgaard, “Banking Trojans constantly evolve to fit the banking space, making sure that they can circumvent two-factor authentication. … Once inside, the malware can easily morph to adapt to the banking environment.”
Security researcher Righard Zwienenberg pointed out that despite evolving threats, many banks aren’t following best practices; for example, they’re only asking for the account number and date of birth to confirm identity and aren’t using secure URLs. While some leverage two-factor authentication, many send one-time codes via text message, which can be intercepted and used by malicious actors. And in some cases, banks redirect to third-party confirmation sites that seem more like phishing grounds than legitimate fact-checking tools.
The fifth version of Tinba isn’t surprising since banks are effectively creating an ideal environment for malware to deceive ID gateways, while users continue to open spam emails and download infected attachments. Best bet? Use two-factor authentication at minimum, ideally with codes sent via voice rather than text in addition to multiple levels of social and behavioral verification.
That still may not be enough. With mobile banking access on the rise and more users willing to complete high-value transactions online, the industry is headed for a reckoning: Users must take ownership of online banking risk even as financial institutions take steps to mitigate it. Otherwise, this handful of Tinba versions is just the beginning.