While Romania is widely suspected of being home to a large amount of cybercriminals – even with one city dubbed by some as “Hackerville” — we seldom see it targeted by those who attack Western countries.

In a recent finding, IBM Security X-Force researchers discovered an interesting Romania-focused configuration of the Tinba v3 Trojan, which exclusively targets 12 Romanian banks.

What’s New?

In late July 2015, IBM Security X-Force researchers analyzed a new Tinba v3 Trojan configuration file that is, according to our data, the first of its kind dedicated to Romanian banks. Previous versions of this malware attacked a number of European countries, but Romania wasn’t among them and is rarely a top target. Our analysis reveals that Tinba v3’s developers have expanded the capabilities and reach of the malware by updating its webinjections to match the new banks targeted in the Eastern European country.

The Tinba Bunch

The Tinba Trojan (also known as TinyBanker or Zusy) was first discovered in the wild in mid-2012. It was dubbed “tiny” due to its slim 20 KB file size, which included its configuration and webinjection kit. This malware initially acted like a classic banking Trojan, dedicated to grabbing user credentials and network traffic. The first Tinba release sported a form grabber to steal usernames and passwords and a webinjection mechanism for man-in-the-browser (MitB) attacks.

Although it started out as a tool used exclusively by its developers and their gang, its source code was leaked in mid-2014, and the project then began evolving in other directions. That code leak gave immediate rise to two more Tinba variations, which were taken up by different gangs, spawning Tinba v2 and Tinba v3. Each is a fully independent Trojan variation, clearly developed and updated by different individuals.

The most recent addition to the Tinba bunch is a fourth variation. Again, a new gang took the source code and revamped it to create a unique banking Trojan. In late June 2015, this gang lured in victims via a malvertising campaign, which led users to an exclusive exploit kit called HanJuan. HanJuan then dropped Tinba 4, the actual banking malware.

Of all the Tinba variations, v3 appears to be the most active and possibly commercially available. It is more prolific and appears to be used by more than one group.

Learn more about Staying ahead of threats with global threat intelligence

Tinba v3 Extending Its Reach

The configuration that targets Romanian banks at this time is linked with Tinba v3. Right from its first release, this variation showed that the developer behind it put some work into new features designed to enhance the Trojan’s evasion techniques, bypass automated security controls and “phone home,” even when the original command-and-control (C&C) server is down.

Botmasters typically strive to protect their botnets from potential hijacking and takedowns, and Tinba v3’s developer took extra care to ensure that its fallback mechanisms would secure the illicit business continuity.

In terms of its modus operandi, Tinba v3 relies on four principal fraud capabilities:

  • A persistent user-mode rootkit;
  • The ability to steal any set of credentials with a generic form grabber;
  • MitB capabilities;
  • Dynamic webinjection mechanisms.

Tinba v3 uses a few browser injection approaches. For example, the Trojan works with an automated transfer system (ATS) panel. ATS is fraudster lingo for a remote platform that Trojans access on the fly. The ATS contains transaction automation scripts, preprogrammed parameters and thresholds and mule account numbers that the malware relies on to complete illicit online transactions.

ATS was much more popular before two-factor authentication schemes came into the equation, but it is still effective in this case. The panels used by Tinba include dynamic social engineering designed to ask for the victim’s one-time password and then plug it into the bank’s page to complete the transaction.

Another common webinjection approach Tinba v3 uses in its configurations is called FI-Grabber, short for full information grabber. This is lingo for an injection that asks the victim to key in a large amount of personally identifiable information (PII) and other private details about the account. These grabbers are accessed on a remote server and automatically match the most relevant injection to the bank the victim is browsing.

FI-Grabbers are actually a paid cybercrime service that promises effective injections leading to a successful transfer. This all happens in real time and without exposing the Trojan’s actual injections inside the configuration file. Reaching out to an FI-Grabber is considered to be a more advanced means of manipulating Web sessions while still keeping the Trojan’s secrets under wraps.

The malware’s fraud scenario is similar to other Trojans of this grade: collect victims’ credentials, grab PII and use social engineering to steal two-factor authentication codes. Actual illicit transactions generated from Tinba-infected users typically come from the victim’s own device, which is indicative of the use of automation after the victim keys in the one-time password. Tinba-enabled illegitimate online banking operations take place via a remote transaction orchestration panel.

Threat Status

In terms of Tinba’s proliferation this year, IBM Security data shows that this malware is ranked sixth in popularity. It is right behind Gozi, which is considered commercial malware.

Tinba v3 attacks online banking customers all over Europe, mainly targeting Poland, Italy, Germany and the Netherlands. Per IBM Security X-Force data, this is the very first time we identified any of the Tinba variations attacking in Romania.

What’s Next for Romania?

Based on other Tinba v3 campaigns that IBM Security is familiar with, we expect to see more Tinba attacks in Romania going forward. The country may only be starting to face Tinba, but it is already plagued by the Dridex Trojan, Dyre, Neverquest and Zeus v2 variants. IBM Security data shows that, since the beginning of 2015, the most active Trojan in Romania is Dridex, but that could stand to change if Tinba accelerates its activity.

Since Tinba v3 webinjections are designed to harvest large amounts of personal information as well as two-factor authentication codes during the Web session, IBM Security recommends that banks alert their customers of the threat and refresh the online banking security education sections of their websites.

Romanian banks should ask customers to report suspicious emails. These financial institutions should also work closely with their antifraud provider to lower and contain risks as much as possible.

Read the white paper: Staying ahead of threats with global threat intelligence

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…