Russian and Japanese Banks hit by new Tinba


Hi all

The criminals behind the Tinba banking Trojan  are now focusing on larger banks in Russia and Japan. researchers with Dell SecureWorks have looked into an instance of malware last month and have found that the variant of the malware is targeting the biggest banks in Europe and and two popular payment service providers in Russia.

Tinba aka Tiny Banker is a Trojan with a small code behind it and is used to pilfer banking credentials, passwords, and other information that’s later used to perpetrate wire, or Automated Clearing House (ACH) fraud.

In October the researchers found 655 registered domains, 62 unique request paths and 43 unique encryption keys, statistics that’s led them to believe there’s now more than a dozen groups running Tinba 2.0 botnets.

Infections from 32,805 IP addresses were found after few of the botnets were sinkholed by the researchers. Most of the botnets amounting to 34.5% were located in Russia. Many infections were seen around Europe, mostly in Poland, Spain, Germany and the UK.

Researchers at IBM have mentioned that this is the first time the malware has been spotted in Russian banks.

SecureWorks researchers claim that malware like Tinba infrequently targets Russian computers, acknowledging the country is often a hub for the creation of “pervasive banking Trojans and other money-making malware….”There definitely seemed to be a propensity on the part of the cyber criminals behind these operations not to compromise Eastern European and Russian computers,”

According to the researchers, an uptick in Tinba attacks that target Shinkin banks, or cooperative financial institutions, located in Japan, along with other Asian countries like Indonesia and Malaysia has also been noticed.


In July 2014, the Tinba source code first appeared and was posted on an underground forum, but that first iteration of the malware was apparently quite different from 2.0.

SecureWorks say that the latest version of the malware appears to be controlled by one threat group and is primarily spread through spam email and exploit kits like Neutrino, Angler, and Nuclear. The malware has many capabilities and contains a list of domain names, RSA keys, and request paths, and has led to tens of thousands of active malware infections.

The 2.0 version is difficult to mitigate as it uses a more sophisticated domain generation algorithm. Not one but four hard-coded TLDs (top level domains) are used in the latest version.  This generates 400 possible domains, instead of 1,000. The malware also has a RSA signature mechanism that verifies whether or not the command and controller it communicates with is legitimate.

“The command-and-control communications rely on a domain generation algorithm (DGA) and verify the legitimacy of the server through RSA cryptography, making Tinba 2.0 botnets more challenging to disrupt. As a result, CTU researchers expect Tinba 2.0 to continue to remain popular in the foreseeable future.” Dr. Brett Stone-Gross, a Senior Security Researcher with the group said


Stay updated with us

Source: Akati

Comments are closed.