Saturday January 18, 2025

TINYBANKER “TINBA” MALWARE INFILTRATION

Advisory ID: ngCERT-2024-0036

Summary: 

ngCERT has observed the resurgence of Tinybanker Malware, also known as “Tinba” or “Zusy”, which is a sophisticated Malware designed to steal sensitive banking information. This Trojan has been used to attack a large number of popular banking websites around the world. Threat actors infiltrate systems primarily through phishing attacks, malicious downloads, and compromised websites. Once inside, it can capture sensitive data which includes login credentials, keystrokes and allow attackers to gain unauthorized access to users' online banking accounts without any of their knowledge using techniques such as Man-in-the-Browser (MITB) attacks, JavaScript Injection, Keylogging, and Packet Sniffing. Tinybanker is the smallest known trojan at 20KB, which makes it much harder to detect; With its source code published online, there is a continuous emergence of new iterations of the malware which makes it to be considered a very destructive malware strain. Individuals and organizations are advised to take immediate steps to protect their systems and data from Tinybanker malware threats. 

Damage/Probability: CRITICAL/HIGH

Platform(s): Windows Operating Systems

Description: 

The Tinybanker malware is small-sized at 20KB and stealthy which makes it very difficult to detect, it is a modified version of Zeus Trojan that infiltrates systems through phishing emails, compromised websites, and malicious links. It operates by using Man-in-the-browser (MITB) attacks, JavaScript Injection, Keylogging, and Packet Sniffing to access victims' financial information. Once successfully deployed it copies itself as bin.exe in the %AppData% folder. Based on the infected system details, different versions of Tinybanker could appear in various folders using random names and hide their activities by encrypting their memory. When the affected system restarts, bin.exe runs again which keeps Tinybanker active. Tinybanker targets sensitive processes like explorer.exe and svchost.exe on Windows. It could change settings in web browsers like Internet Explorer and Firefox turning off warnings and permitting HTTP content to show on HTTPS sites without alerts. Tinybanker uses encryption for its communication with its control server and uses four C&C domains to remain connected and it has local configuration files to use if it can’t reach a server.

Consequences: 

 Successful exploitation of the vulnerabilities could lead to:

  • System compromise.

  • Unauthorized access to sensitive data.

  • Loss and theft of sensitive data.

  • Reputation Damage.

  • Ransomware attacks.

  • Financial loss.

  • DDoS attacks.

Solution:  

 ngCERT recommends the following: 

  • Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.

  • Regularly monitor for irregularities on websites or systems.

  • Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.

  • Regularly backup data on external devices or reputable cloud storage providers.

  • Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti phishing solutions, endpoint detection and response solutions including anti-malware software.

  • Enforce a strong password policy, and implement regular password changes.

  • Implement comprehensive security solutions to all necessary devices such as BitLocker, FileVault and/or device encryption.

  • Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References: