Julia Karpin contributed research for this blog.

IBM Security Trusteer researchers, in addition to those from Avast, recently identified a new variant of the Tinba malware, which had its source code leaked in July. The variant is exhibiting some interesting new features, including techniques to bypass automated security controls and the ability to “phone home,” even if the original command-and-control (C&C) center has been taken down.

Initially, only a handful of financial institutions were targeted. However, at the time of this posting, this attack had broadened to include a larger number of banks globally — including the United States and Canada. Our research teams have been tracking and flagging these files as malicious with a combination of low (2/55) and high (22/53) detection rates in VirusTotal (VT) in addition to samples that have yet to be submitted to VT.

According to an analysis conducted by IBM Trusteer researchers, the malware seems to have been assembled from the leaked source code of the well-known Tinba malware, one of the most sophisticated financial malware toolkits available today. Since the leak of Tinba’s source code in July, new functionality has appeared, improving malware stealth, recovery mechanisms against takedown attempts and new behavioral changes.

Tinba’s new behavioral changes include:

  • Domain Generation Algorithm (DGA): Refers to a fallback mechanism for a bot to “call home” in case of the original C&C has been taken down.
  • Public Key Signing: Refers to a verification mechanism guaranteeing that a message could only be sent from authentic bot herder.
  • Preloaded Configuration: The malware is configured to attack at time of infection (even with no C&C connectivity).
  • Advanced Encryption Methods: An additional (machine-dependent) encryption layer has been added.
  • User-Mode Rootkit Capabilities: A means of hiding its traces and evading detection, even from advanced users.

Technical Analysis: From the Dropper to the Browser

After the dropper is executed, it generates a folder name using a hard-coded key XORed with the machine’s volume-serial number. The resulting hexadecimal string is used both in the malwares’ folder and mutex names. (The malware executable file name is hard-coded and hasn’t changed since the original Tinba).

Following that, the malware installs hooks on functions such as NtResumeThread, NtCreateUserProcess and NtCreateThread, which allow it to stealthily propagate in the system. Furthermore, it hooks NtQueryDirectoryFile and NtEnumerateValueKey in order to hide its folder and run key from advanced users.

Tinba Malware Phones Home

Tinba is joining Gameover Zeus in an attempt to improve communication capabilities with the C&C by having a fallback in the form of a DGA. Initially, it attempts to communicate with a hard-coded C&C server, and in case of failure, it starts using one of its fallback-generated domains.

An additional feature of the new strain is the usage of the crypt32 Windows library in order to authenticate the server against a challenge response. The infected machine sends a request comprising several time stamp counters (counting the number of CPU cycles since reset) concatenated together. This technique ensures a unique challenge is sent every time, so intercepting one challenge does not suffice to impersonate as the C&C server. This message is encrypted with RC4 (like all of Tinba’s communication) and then sent to the server. A hash of the message is created using SHA-1. The hash is then encrypted with a private key on the server’s side and returned as part of the response. The response itself is authenticated by the malware using the Windows API CryptVerifySignatureA with a hard-coded public key.

It is important to note that without proper authentication, the communication routine will not continue, and the authentication process will repeat forever. Following a successful authentication, the communication routine repeats itself several times and then attempts to authenticate again. This is done in gradually expanding intervals.


As opposed to previous Tinba strains, the new one comes with a preloaded configuration. If the browser is launched while the malware was unable to download a configuration, the preloaded, hard-coded one will be used instead.

In addition, on top of the RC4 decryption layer used in previous strains, the new strain adds a pre-step of XOR with the volume serial and a post-step of decompression using aPLib.

Automatic Transfer System Engine

In some recent configurations, we’ve discovered an interesting gem: the use of an ATSEngine panel, similar to the latest versions of Zeus, such as Citadel and ZeusVM.

Tinba configuration contains webinjects of external malicious Javascript code, as seen below:

This malicious code is capable of applying dynamic webinjects in a large number of online banking websites. It adjusts the webinject to the exact look and feel of the original website.

These dynamic webinjects are part of the ATSEngine infrastructure that enables the attacker to collect multiple data elements, such as the victims’ credit card type (credit, debit), CVV, PIN and SSN. The fraudster can then use a man-in-the-browser attack to transfer the available balance to a third party (a money mule), who withdraws the funds and sends them to the attacker in an untraceable way.

Sample MD5s

MD5 First seen Campaign
29f83c2c462deac10f3d06c42cc82f7e 09/09/14 Canadian
f5b486f92d336a5f3385314a70373ded 30/08/14 Global
bc6ede0ee763a67a016642f737d07bd6 28/08/14 Global
Scroll to view full table


Since the Tinba source code leak in July, Tinba has been spotted in various locations across the globe with new features and functionality. This serves as a reminder that cybercriminals are fully aware of reverse engineers and researchers analyzing their products; they are constantly developing new tactics and methods while attempting to stay under the radar and bypass automated and human security controls.

IBM Security Trusteer researchers and threat analysts are closely monitoring this variant while providing appropriate protection against this new threat, using either IBM Security Trusteer Rapport or IBM Security Trusteer Pinpoint Malware Detection to provide protection against this type of financial malware and many others. These solutions can detect, mitigate and remediate infections to protect the enterprise and your customers.

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…