The popular banking trojan Tinba has been wreaking havoc among users for five years already.
During all these years, the trojan, which is also known as Tinybanker, Zusy or HµNT€R$, has had four major versions. Now the cyber security vendor F5 Labs is announcing a fifth version of Tinba, which has received special updates so it can target new territories, such as Asian Banks.
The fifth version of Tinba trojan is called Tinbapore and it doesn’t differ too much from the previous versions. Though, it works the same way as the other four.
Usually, the tojan infects users’ computers through spam, then it goes on to gain boot persistence via a rootkit, initiates conversations with a C&C server after scanning and collecting data from the victim, and goes on to hijack the user’s browsers.
By now, more than half of the Tinbapore infections have been recorded in the Asia-Pacific region.
Unlike the previous four versions of the trojan, the new version includes the usage of a domain name generation algorithm, which makes it harder for security researchers to track down its C&C, and its own separate explorer.exe process that runs in the operating system’s background.
The F5 researchers claim that the campaign responsible for spreading the latest version of Tinba comes from Russian domain names. The other trojan’s targets are located in Singapore – the country after which Tinbapore’s name was derived.
The second place after Signapore’s 30%, takes Indonesia with 20%, and Malaysia is third with 5%.
“Financial institutions in APAC are not the only ones at risk; the malware has also targeted institutions in the Europe, Middle East, and Africa (EMEA) region and the Americas,” F5 researchers reveal. “However, it is clear that the majority of attacks target financial institutions in Asia and the Pacific.”