January 19, 2016 By Douglas Bonderud 2 min read

In 2012, security firms uncovered the original version of Tinybanker, or Tinba malware, used to steal banking credentials from users in Europe, the Middle East and Africa. Four iterations later, the Trojan is still running amok. According to SecurityWeek, Tinybanker version five, also known as Tinbapore, was found in November 2015 and predominately targets banks in Singapore and other Asia-Pacific nations. Along with a new name are new features that make the banking Trojan difficult to detect, mitigate and remove.

Small Package, Big Impact

When Tinba was first detected, one notable feature was the program’s size. At just 20 kilobytes, malware-makers managed to pack a huge number of attack features into a very tiny package. Infosecurity Magazine described the Trojan’s infection arc: It typically starts with a malicious email containing an attachment or download link. Once a user opens the file or completes the download, the newest version of Tinybanker opens the winver.exe process, performs an injection and moves to explorer.exe.

Next, it creates a new bin.exe file in the \Application Data\ folder under a randomly generated subfolder and then folds in a host of system functions. More importantly, Tinba hooks into all browsers used on infected machines, allowing it to intercept any HTTP requests and perform webinjections.

That’s a lot for 20 KB, but the code doens’t stop there: Since this Trojan is also a rootkit, it’s able to grab higher permissions than admin users, making it impossible to remove manually. Rootkit abilities also let the program hook into multiple auto-run locations so it runs on Windows startup. It also lowers desktop security settings so it can perform browser injections without alerting users.

As the name suggests, Tinbapore is most active in Singapore, with 30 percent of all infections reported there. But it’s worth noting that 15 percent of all new Tinba attacks are happening on U.S. soil. Bottom line? The malware is small, fast, clever and incredibly hard to detect.

Better or Worse?

Banks are now painfully aware of the threats posed by credential-stealing malware, but according to a recent ZDNet article, they may actually be making the problem worse. Security expert Morten Kjaersgaard noted that Tinba infections now average 1,000 machines per day, while other malware such as Dyreza has seen an uptick in the past few months.

According to Kjaersgaard, “Banking Trojans constantly evolve to fit the banking space, making sure that they can circumvent two-factor authentication. … Once inside, the malware can easily morph to adapt to the banking environment.”

Security researcher Righard Zwienenberg pointed out that despite evolving threats, many banks aren’t following best practices; for example, they’re only asking for the account number and date of birth to confirm identity and aren’t using secure URLs. While some leverage two-factor authentication, many send one-time codes via text message, which can be intercepted and used by malicious actors. And in some cases, banks redirect to third-party confirmation sites that seem more like phishing grounds than legitimate fact-checking tools.

The fifth version of Tinba isn’t surprising since banks are effectively creating an ideal environment for malware to deceive ID gateways, while users continue to open spam emails and download infected attachments. Best bet? Use two-factor authentication at minimum, ideally with codes sent via voice rather than text in addition to multiple levels of social and behavioral verification.

That still may not be enough. With mobile banking access on the rise and more users willing to complete high-value transactions online, the industry is headed for a reckoning: Users must take ownership of online banking risk even as financial institutions take steps to mitigate it. Otherwise, this handful of Tinba versions is just the beginning.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today