IBM X-Force malware researchers have uncovered an aggressive malware campaign targeting banks in Asia. The campaign, which uses the Tinba v3 banking Trojan to infect potential victims, has its sights set on business and corporate accounts held with nine major bank brands in Singapore.

While other countries are also targeted, the amount of Singaporean bank brands on the malware gang’s list top the chart. The country accounts for more than one-third of all targeted brands.

Figure 1: Location of targeted banks.

New Tinba v3 Campaign Targets Accounts in Singapore

The second half of 2015 has revealed a strong attack trend on high-value accounts of all types as cybercrime gangs attempt to diversify the sources they target and increase the amount of money they steal in each illicit transaction. This trend seems to indicate that more gangs than ever have set up the necessary infrastructure to launch such attacks and successfully make large transfers to offshore accounts.

Tinba v3 is known to be operated by a gang that uses three principal configurations to attack different regions in the world. The configuration currently targeting Singaporean banks is Asia-specific and has been further adapted to harvest user credentials for business and corporate accounts. In that same configurations file, the list of targeted URLs includes online trading sites, personal account credentials and credentials to access the accounts of users who browse to Singapore’s principal credit bureau.

Stay ahead of threats with global threat intelligence and automated protection

Recapping Tinba

Researchers have previously reported on the Tinba Trojan. It had been through several different configurations before this latest discovery, including a recent version that targeted Romanian banks.

Tinba’s most common infection method is through the Angler exploit kit, with users lured via malvertising campaigns. This infection approach is especially insidious because it can compromise popular, legitimate websites and serve poisoned ads. The infection itself is a drive-by download that takes place automatically and without the user ever seeing it occur.

Global Perspective

Tinba v3 attacks online banking customers in different geographies, with a dedicated configuration for each region — namely North America, Australia and New Zealand, Europe and Asia.

In terms of Tinba’s proliferation this year, IBM X-Force data shows that this malware is ranked sixth, right after Gozi, which is considered a semicommercial malware. At the time of writing, IBM X-Force malware researchers noted that the Gozi ISFB code version was leaked online; they expect it to become widely used by cybercriminals within the coming months.

The chart below shows the top offenders on the financial malware roster for 2015 so far.

Figure 2: Instances of financial malware in 2015.

What’s Next for Tinba v3?

Based on other IBM X-Force research into Tinba v3 campaigns, we expect to see this malware variation give special attention to the Southeast Asia region.

Tinba v3 campaigns are bound to raise the infection rates in the region and will result in an increase of fraudulent transactions for bank customers. We recommend that banks alert their customers and refresh the online banking security sections on their websites.

Users can mitigate the risk by:

  • Making sure their Internet browsers and plugin/extensions are all up-to-date;
  • Disabling plugins/extensions that are not frequently used or are potentially dangerous;
  • Adjusting browser settings to block ads or changing settings to detect potential malvertising;
  • Running appropriate protection on user endpoints to limit the potential damage of malware like Tinba.

IBM Security Trusteer has worked with customers to study and stop Tinba attacks. It can help banks that wish to learn more about this high-risk threat.

To stop threats like Tinba, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates to or refocuses in their region.

Fighting evolving threats like Tinba variants is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from IBM Security’s malware intelligence to provide real-time insight into fraudster techniques and capabilities.

Learn why global threat intelligence is more important than ever in the fight against web fraud

More from Malware

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read