IBM Security Trusteer researchers have recently discovered an infection campaign using a new variant of the banking Trojan Tinba that targets European banking customers. The latest version has been enhanced with several capabilities that significantly improve the malware’s effectiveness and resiliency.

Small and Free of Charge

Tinba is a truncation of “tiny banker” and, when first discovered in 2012, was the smallest banking Trojan in circulation by file size.

Tinba’s destiny took an interesting turn when its source code was publicly leaked in July 2011 in an apparent dispute between rival cybercriminals. Since the leak, various gangs have been able to rework the ready-made malicious code at no cost.

Security Intelligence reported in September of last year that, as a result of the proliferation of the source code, several campaigns using Tinba variations were launched in countries around the world, in many cases sporting significant improvements to the original code.

Latest European Tour

In May 2015, IBM Security Trusteer researchers discovered a Tinba infection campaign targeting Poland, Italy, the Netherlands and Germany. Nearly half of the recognized incidents were focused on Poland, with 45 percent of the security events able to be traced back to the country. Italy was a distant second at 21 percent, according to the research.

Credential Stealing and Fake Messages

When Tinba infects a computer and the user tries to log in to one of the targeted banks, Tinba’s webinjects are launched into action. Depending on the targeted bank, victims are presented with fake messages and Web forms asking for personal information, login credentials or requests to perform a funds transfer. The notice may even attempt to convince users that money has been added to their account accidentally and must be refunded immediately.

Tinba’s Fallback Mechanisms

In line with Trojan anti-research and resilience features, the author of this Tinba variation, wary of potential hijacking and takedowns, incorporated several fallback mechanisms to make sure the botnet remains intact. These safeguards include:

  • Public key signing to ensure that bot commands and updates can only come from the authorized botmaster;
  • Bots authenticating the updating server before accepting a new configuration;
  • A machine-dependent encryption layer for each bot to prevent security researchers from spoofing bots;
  • Bots communicating with hard-coded resource URLs and fallback to DGA-made URLs when necessary.

The Globalization of the Malware Threat

This latest Tinba campaign is just one of many malware threats that have migrated to Europe after previously targeting U.S. banks. Cybercriminals such as the Dyre gang have been able to overcome language barriers and adapt their tactics to attack local banks. While this trend may prove a challenge to many banks who have not yet hardened their defenses, it also provides an opportunity for those institutions to take advantage of the lessons learned having combated this malware elsewhere.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…