January 19, 2016 By Douglas Bonderud 2 min read

In 2012, security firms uncovered the original version of Tinybanker, or Tinba malware, used to steal banking credentials from users in Europe, the Middle East and Africa. Four iterations later, the Trojan is still running amok. According to SecurityWeek, Tinybanker version five, also known as Tinbapore, was found in November 2015 and predominately targets banks in Singapore and other Asia-Pacific nations. Along with a new name are new features that make the banking Trojan difficult to detect, mitigate and remove.

Small Package, Big Impact

When Tinba was first detected, one notable feature was the program’s size. At just 20 kilobytes, malware-makers managed to pack a huge number of attack features into a very tiny package. Infosecurity Magazine described the Trojan’s infection arc: It typically starts with a malicious email containing an attachment or download link. Once a user opens the file or completes the download, the newest version of Tinybanker opens the winver.exe process, performs an injection and moves to explorer.exe.

Next, it creates a new bin.exe file in the \Application Data\ folder under a randomly generated subfolder and then folds in a host of system functions. More importantly, Tinba hooks into all browsers used on infected machines, allowing it to intercept any HTTP requests and perform webinjections.

That’s a lot for 20 KB, but the code doens’t stop there: Since this Trojan is also a rootkit, it’s able to grab higher permissions than admin users, making it impossible to remove manually. Rootkit abilities also let the program hook into multiple auto-run locations so it runs on Windows startup. It also lowers desktop security settings so it can perform browser injections without alerting users.

As the name suggests, Tinbapore is most active in Singapore, with 30 percent of all infections reported there. But it’s worth noting that 15 percent of all new Tinba attacks are happening on U.S. soil. Bottom line? The malware is small, fast, clever and incredibly hard to detect.

Better or Worse?

Banks are now painfully aware of the threats posed by credential-stealing malware, but according to a recent ZDNet article, they may actually be making the problem worse. Security expert Morten Kjaersgaard noted that Tinba infections now average 1,000 machines per day, while other malware such as Dyreza has seen an uptick in the past few months.

According to Kjaersgaard, “Banking Trojans constantly evolve to fit the banking space, making sure that they can circumvent two-factor authentication. … Once inside, the malware can easily morph to adapt to the banking environment.”

Security researcher Righard Zwienenberg pointed out that despite evolving threats, many banks aren’t following best practices; for example, they’re only asking for the account number and date of birth to confirm identity and aren’t using secure URLs. While some leverage two-factor authentication, many send one-time codes via text message, which can be intercepted and used by malicious actors. And in some cases, banks redirect to third-party confirmation sites that seem more like phishing grounds than legitimate fact-checking tools.

The fifth version of Tinba isn’t surprising since banks are effectively creating an ideal environment for malware to deceive ID gateways, while users continue to open spam emails and download infected attachments. Best bet? Use two-factor authentication at minimum, ideally with codes sent via voice rather than text in addition to multiple levels of social and behavioral verification.

That still may not be enough. With mobile banking access on the rise and more users willing to complete high-value transactions online, the industry is headed for a reckoning: Users must take ownership of online banking risk even as financial institutions take steps to mitigate it. Otherwise, this handful of Tinba versions is just the beginning.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today