While living in the 21st century, no one can live off offline modes of payment all the time. Financial institutions, especially banks, have gone the extra mile to ease the process for their clients in the meantime, attracting cybercriminals and their ever-changing malware as threats to their information security. Tinba is one such threat especially plaguing Windows. Read on to know more about the tiny virus and its not so tiny implications.
What is Tiny Banker Trojan?
Tiny banker trojan or Tinba trojan is a banking trojan first seen in 2012 and infected thousands of Turkish computers. What makes this malware special is its small size and the amount of harm it can cause despite its small size.
The estimated size of this malware is around 20kB, and it steals user data, login credentials and sensitive information using Man-in-the-middle attacks (MITM).
What is a banking trojan?
A banking trojan is a sort of malware that tries to steal user (client) sensitive banking information like login credentials and account details, including password, to successfully gain access to his account and steal all the funds of that user for that targeted bank.
Why is it so dangerous?
It’s just another malware out there. So what makes it more dangerous than others? The original source code of the Tinba banking trojan was leaked online on dark web forums around 2014 due to a rift between the cybercriminals, and since then, we’ve seen several mutations of this virus.
It’s said to have originated from the Zeus virus, and since the leak, it has taken new and more dangerous forms. The source code is easily and freely available for exploitation, and malware developers around the world have used the same code and made some changes to make it more destructive, adding different attack vectors in each latest version.
Due to these reasons, the Tiny banker virus is considered one of the most dangerous trojans attacking banking institutions since its peak in 2016 and continues in different forms.
How does Trojans work?
To understand the working of this malicious code, let’s break it down into its phases and see how it works.
Phase 1: Phishing
Infected websites usually send phishing emails containing malicious code in the form of attachments, zip files, and Word documents to the user.
Phase 2: Execution
Once the victim has been phished and has downloaded the malicious software, the code gets downloaded in the %AppData% folder, usually with the name bin.exe.
Phase 3: Time of execution
Tinba trojan is a banking malware; hence the malicious code waits for the user to visit the website of the targeted banks. The moment the user visits the site, he is popped up with a pop-up window asking for login detail.
Phase 4: Command and Control Server
TBT encrypts the connection to C2 servers and sends the stolen details to them so that the hacker can save those details and log in with the stolen victims’ credentials to access all the victim’s funds.
If the C2 servers are down, it has local config files that it can use when unable to connect to the server.
Man-in-the-Middle (MITM) Attacks
TBT uses keyloggers to log the user’s keystrokes to save sensitive information. User logs into the bank, and the keystrokes are saved before being sent to the bank server via secured HTTPS (HTTP).
The small changes could be anything, for example, a potential security question like Mother’s maiden name to bypass the security or changing password. The victim seeing the page, thinks it is a legitimate page and provides all the data in the form to log into the website and gets duped.
Users are even asked about information like bank balances or social security numbers to verify themselves on the website. All this information gets stored on the C2 server by the keylogger set up in the malware.
Tiny Bank Trojan Removal
Now that we have discussed how this malware works let’s see what to do if one falls victim to this attack.
If a user is infected with this virus, the browser may cause issues, and the system often crashes. Pop up messages can lure the victim to login onto the website. Messages like “you have been transferred with extra funds, and the bank wants it refunded immediately” can be seen on the screen so that the victim logs in to the malicious website.
The most common way users get the infection is by downloading software from unknown websites or clicking on malicious links, and downloading files or even apps from phishing emails.
Although it is difficult to clean the system after being infected by this virus as it gets injected into the running processes of the Windows API, one can use any one of the below techniques to remove the virus from the computer.
Cleaners from antivirus vendors.
Full System backup restores, but it can be a risk as we don’t know when the virus actually got into our computer. All changes made since the restore point will be lost.
How to prevent banking trojans?
Banking trojans are stealthy forms of malware; when a user is infected with it, the virus does not typically start its attack as soon as pushing the infection into the computer. It waits for the right time when the user accesses his bank account. Once he visits the banking website, the keylogger is activated, and the attack is launched.
To prevent such attacks, users must take care of the following points :-
Opening emails carefully:
- Be safe from phishing emails and open links carefully.
Good Antivirus Software:
- Antivirus software should be installed and regularly updated to prevent any malware attack on the system. System scans should also be performed on a regular basis.
Unusual behaviour of banking sites:
- When visiting a banking website on the browser, the user must look at the information asked carefully and see if there’s something suspicious on the page.
Install software from trusted sources only:
- Users must install software from official sites only. Third-party vendor software might contain malware and pose a threat to the computer.
With more and more business ventures resorting to online transactions and partnering with financial institutions like banks to conduct their daily business, the risk of cyber threats and malicious attempts to steal users’ data is evermore on the rise. It is imperative for both the users as well as the business domains to keep themselves updated on information security and conduct regular malware analysis and research to address the issue and protect themselves from financial frauds.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.