report / Oct 15, 2014

Tinba Malware: Domain Generation Algorithm Means New, Improved, and Persistent

by Pasel Asinovsky

Tinba, also known as "Tinybanker", "Zusy" and "HµNT€R$", is a banking Trojan that was first seen in the wild around May 2012. Its source code was leaked in July 2014. Cybercriminals customized the leaked code and created an even more sophisticated piece of malware that is being used to attack a large number of popular banking websites around the world.

The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine, so it can intercept HTTP requests and perform web injections.

The new and improved version contains a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down.

Upon execution, the malware initially infects the system by opening the winver.exe process, which is a legitimate windows applet that shows the Windows version, injecting itself into it, and propagating into Explorer.exe by creating Thread ID: 3460. Then, while operating through Explorer.exe, it writes itself as a bin.exe file in the C:\Documents and Settings\Administrator\Application Data\557CEB7B\ folder.

Tinba gains control over the system by hooking several functions inside the ntdll.dll library. The hooked functions are: NtCreateProcessEx, NtCreateThread, NtEnumerateValueKey, NtQueryDirectoryFile, and NtResumeThread.

In order to stay persistent in the system, the malware writes two autorun locations, making it start with Windows at boot. The autoruns are written into the registry in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE registry hives, under the Software\Microsoft\Windows\ CurrentVersion\Run\ key; both point to the malware executable at C:\Documents and Settings\Administrator\Application Data\557CEB7B\bin.exe.

To see the full version of this report, click "Download" below.

MODIFIED: Feb 22, 2017

Tags: , , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.