A Trojan targeted at financial institutions, known for its small size but powerful abilities, has expanded the number of banks it can collect data from. Tiny banker, also known as Tinba Trojan, is 20 kb in size and features network sniffing and man-in-the-browser capabilities.
Researchers at Avast discovered the Trojan is back in circulation, and it targeted more than two dozen financial institutions in the US, including some big names such as TD Bank, Chase, HSBC, Wells Fargo, PNC, Bank of America and more. This comes after the Trojan targeted a small number of banks in Europe and Australia.
The Tinba Trojan has been modified over the years, majorly because of attempts to bypass new security measures taken by financial institutions. The malware’s source code was also leaked a few months ago in an underground forum.
The malware works by sneaking its way onto a customer’s PC via the Rig Exploit kit, which utilizes Silverlight or Flash exploits. The victim can fall prey to the malware by simply visiting a bank’s website that has been infected with the Rig Exploit kit.
“If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan,” explained Avast researchers in a blog post. “When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.”
Detailed working of Tinba Trojan
When a customer visits a banking website infected with the Rig Exploit kit with a vulnerable system, the Trojan executes a malware code that is named Tinba Trojan.
The Trojan injects an HTML form into the website and victims are asked to fill out personal information such as social security number, credit card information, address, etc. Researchers also found ‘Mother’s Maiden Name’ being asked for: an interesting find as it is often used as a security question for password reset requests.
The details, however, are not stored in the bank’s servers, but are redirected to the systems being used by hackers. The Trojan variant is not the one that was aimed at financial institutions in the Czech Republic: that one had an encrypted payload that was hardcoded with RC4 password. The latest variant has a few more steps to uncover.
The researchers discovered two files after discovering the folder where the tiny banker malware was installed: one was an executable file and one was encrypted configuration file. The configuration file was viewed in plaintext with aPLib decompression, which revealed that the Trojan targeted banking institutions at a global scale.
How can banks protect their customers?
In their conclusion, the researchers said customers should not give out personal details and be careful of the sites they visit, but the primary safety of customers lies with the cyber security departments at banking institutions.
Threats like Harkonnen Operation and Tinba Trojan need to be combated with actionable attack intelligence that is ideal for proactive measures and counter-measures to protect the digital infrastructure of banking institutions.
What is needed is an algorithm designed to detect adversary activities on the internet as well as the Dark Web, diving deep into underground TOR and I2P locations and finding cyber criminal hotspots.
With such solutions, banks can detect any effort made in targeting their digital landscape and trace criminal whereabouts by noticing system and website activity. It would also be useful to have real-time tracking of public media, blogs, comments and other sources associated with main websites operated by financial institutions.