IBM - New Variant of Tinba Trojan Targets European Users

Securityintelligence.com reported on 9th June, 2015 stating that researchers of IBM Security Trusteer have recently discovered an infection campaign using a new variant of the banking Trojan Tinba targeting European banking customers.

The fresh variant targeting customers of banks in Italy, Poland, Germany and the Netherlands was spotted in May and according to IBM Security, most of the infections being recorded in Poland and Italy with 45% and 21% respectively.

Just like most banking Trojans, Tinba uses the man-in-the-browser (MitB) tactic for dynamic injection of fake content into the online banking session and to collect the credentials of the account and codes of the security.

However, researchers found the latest variant which appeals to social engineering to trick the victim into transferring money to the cybercriminals or to provide the much popular information.

IBM says that they have spotted one message which informed users that their account had been locked due to transfer of some money to it inadvertently and victims were asked to refund the money to get their account unlocked.

Interestingly, the new version of Tinba has some interesting mechanisms of fallback designed to protect the botnet against hijacking and takedowns.

The list of features includes public key signing to make sure that only lawful botmasters can send commands and updates to the Trojan, update authentication of server at the time of receipt of new configuration data and an encryption layer depending on machine for each bot to thwart spoofing by researchers. Experts also noted that bots are designed to communicate with URL of hardcoded resource but if required, they can fall back to URLs from a domain generation algorithm (DGA).

Tinba targeted Turkey as one of the first countries where more than 60,000 unique infections were recognized during a campaign in 2012.

Scmagazineuk.com published a report on 9th June, 2015 quoting Marco Morana, Managing Director of Minded Security in UK and SVP of risk and controls of Citi Bank, London as saying "security firms should not chase families of new malware".

He added that rather they should approach this on a risk-based approach based on threat modeling.

He said that this attack proved that the actors behind Tinba are "not just going after consumers only but also after commercial banks as they are trying to collect huge money fraudulently."

» SPAMfighter News - 6/17/2015