Tag Archives: Tinba

Dating site users infected with banking Trojan after malvertising attack

A popular dating site and a huge telecommunications company were hit with malvertising.

Hacker at work

Trusted websites can be hit with malvertising

Popular dating site Plenty of Fish (POF) and Australian telco giant Telstra were infected with malicious advertising from late last week over the weekend. The infection came from an ad network serving the advertisements that the websites displayed to their visitors.

Malvertising happens when cybercrooks hack into ad networks and inject malicious code into online advertising. These types of attacks are very dangerous because web users are unaware that anything is wrong and do not have to interact in any way to become infected. Just last week, other trusted sites like weather.com and AOL were attacked in the same way. In the Telstra and POF attacks, researchers say that a malicious advertisement redirected site visitors via a Google URL shortener to a website  hosting the Nuclear Exploit kit which infected users with the Tinba Banking Trojan.

Malwarebytes researchers observed an attack before the POF discovery and surmised in their blog, “Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.” In turn, the Telstra attack was similar to the Plenty of Fish attack.

In an interview with SCMagazineUK.com, Senior Malware Analyst Jaromir Horejsi said,

“To protect themselves from malvertising, people should keep their software, such as browsers and plugins up-to-date, adjust browser settings to detect and flag malvertising. They should also have antivirus software installed to detect and block malicious payloads that can be spread by malvertising.”

The people at the highest risk are those website visitors with out-of-date software like Adobe Flash, Windows, or Internet Explorer. They could find their PC infected with the Tinba Banking Trojan, which is known for stealing banking credentials.  Tinba aka Tiny Banker went global last year when it targeted banks like Wells Fargo, HSBC, Bank of America, and ING Direct. The success of the Trojan relied heavily on a bank customer’s system being vulnerable because of out-of-date software.

For more protection, use security software such as Avast Antivirus with the Software Updater feature. Software Updater informs you about updates and security patches available for your computer.


 

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Tiny Banker Trojan targets customers of major banks worldwide

The Tinba Trojan aka Tiny Banker targeted Czech bank customers this summer; now it’s gone global.

After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.

 hsbc_bank

In comparison with our previous blogpost, Tinybanker Trojan targets banking customers, this variant has some differences,  which we will describe later.

How does Tiny Banker work?

  1. 1. The user visits an website infected with the Rig Exploit kit (Flash or Silverlight exploit).
  2. 2. If the system is vulnerable, then the exploit executes a malicious code which downloads and executes the malware payload, Tinba Trojan.
  3. 3. When the computer is infected and the user tries to log into one of the targeted banks, webinjects come into effect and the victim is asked to fill out a  form with his personal data.
  4. 4. If he confirms the form, the data are sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name” which is often used as a security question to reset a password.

The example of an injected form targeting Wells Fargo bank customers is displayed in the image below.

form

Differences from the Czech campaign

In the case of the Tinba “Tiny Banker” targeting Czech users, the payload was simply encrypted with a hardcoded RC4 password. However, in this case, a few more steps had to be done. At first, we located the folder with the installed banking Trojan. This folder contained an executable file and the configuration file – see the next figure for the encrypted configuration file.

tinba_enc0

 

At first, XOR operation with a hardcoded value 0xac68d9b2 was applied.

tinba_enc1

 

Then, RC4 decryption with harcoded password was performed. After RC4 decryption, we noticed AP32 marker at the beginning of the decrypted payload, which signalized aplib compression.

tinba_enc2

 

Therefore, after aplib decompression, we got the configuration file in plaintext. After studying this roughly 65KB long plaintext file, we noticed that it targets financial institutions worldwide.

tinba_enc3

Targeted financial institutions

 Screenshots of targeted banks

us_bank

td_bank

 

Conclusion

Keep your software up-to-date. Software updates are necessary to patch vulnerabilities. Unpatched vulnerabilities open you to serious risk which may lead to money loss. For more protection, use security software such as avast! Antivirus with Software Updater feature. Software Updater informs you about  updates available for your computer.

SHA’s and detections

Exploits

CC0A4889C9D5FFE3A396D021329BD88D11D5159C3B42988EADC1309C9059778D
1266294F6887C61C9D47463C2FE524EB1B0DA1AF5C1970DF62424DA6B88D9E2A

Payload

856E486F338CBD8DAED51932698F9CDC9C60F4558D22D963F56DA7240490E465
88F26102DB1D8024BA85F8438AC23CE74CEAE609F4BA3F49012B66BDBBE34A7B

avast! detections: MSIL:Agent-CBZ [Expl], SWF:Nesty-A [Expl], Win32:Banker-LAU [Trj]

Acknowledgement

This analysis was done collaboratively by David Fiser and Jaromir Horejsi.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.