Wednesday 20 January 2016

New Banking Malware Fifth Tinba Iteration 'Tinbapore' Found And Flagged

New Banking Malware Fifth Tinba Iteration 'Tinbapore' Found And Flagged.

A new and improved  banking malware known for its small size called version of Tinba has been spotted in attacks that target the customers of European financial institutions. The infamous Tinba financial Trojan that steals information from the compromised computer is now targeting banks in the Asia Pacific region. 

It found on June 1, 2012, and the first update was on June 11, 2012, 10:19:53 AM. And it affects the Systems like Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP.
It is the fifth iteration of the Trojan that is Tinbapore since it began moving 70 percent of its infection base to the region.

The infections of this Trojan mostly located in Singapore, Indonesia about 30%, 20% respectively and only 5% are in Australia.

According to the researchers 

“Newer and improved versions of the malware employ a domain generation algorithm, which makes the malware much more persistent and gives it the ability to come back to life even after a command and control server is taken down,”

How it works:

After the execution of this Trojan, it copies itself to the below location:
%SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe 

In order to disable Mozilla Firefox warnings it modifies below file when we are visiting insecure sites:

%SystemDrive%\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\[USER PROFILE NAME]\user.js 

To execute itself always when computer starts it creates following registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"default" = "%SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe" 

To alter Internet Explorer settings it modifies below registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1609" = "0" 

Below are the .exe files where the Trojan injects itself in the following manner.

The Trojan injects itself into the following processes:

After that it injects code into the following browsers: 


The Trojan ends the following processes: 


After injecting to so many places the Trojan then monitors network traffic and the information recorded in the following file: 

%SystemDrive%\Documents and Settings\All Users\Application Data\default\web.dat 

The stolen information is sent to one of the following command-and-control (C&C) servers 


This new Trojan(Tinbapore) is having the capability to create its own instance of explorer.exe which runs in the background. And it is entirely different from previous versions of it. 

When net sum grabbed and customized their own sophisticated builds to target banks around the world a source code leaked in July 2011. 


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer