Tinba, also known as “Tinybanker”, “Zusy” and “HµNT€R$”, is a banking Trojan that was first seen in the wild around May 2012. Its source code was leaked in July 2014. Cybercriminals customized the leaked code and created an even more sophisticated piece of malware that is being used to attack a large number of popular banking websites around the world.

The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine, so it can intercept HTTP requests and perform web injections.

The new and improved version contains a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down.

Upon execution, the malware initially infects the system by opening the winver.exe process, which is a legitimate windows applet that shows the Windows version, injecting itself into it, and propagating into Explorer.exe by creating Thread ID: 3460. Then, while operating through Explorer.exe, it writes itself as a bin.exe file in the C:Documents and SettingsAdministratorApplication Data557CEB7B folder.

Tinba gains control over the system by hooking several functions inside the ntdll.dll library. The hooked functions are: NtCreateProcessEx, NtCreateThread, NtEnumerateValueKey, NtQueryDirectoryFile, and NtResumeThread.

In order to stay persistent in the system, the malware writes two autorun locations, making it start with Windows at boot. The autoruns are written into the registry in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE registry hives, under the SoftwareMicrosoftWindows CurrentVersionRun key; both point to the malware executable at C:Documents and SettingsAdministratorApplication Data557CEB7Bbin.exe.

To see the full version of this article, click “Download” below.