WP Tiny Banker Trojan (TBT) / Tinba | Prevent Banking Trojans | Imperva

Tiny Banker Trojan (TBT)

22.7k views
Attack Types

What Is Tiny Banker Trojan?

Tiny Banker Trojan (TBT), or Tinba, is a trojan that infects end-user devices and attempts to compromise their financial accounts and steal funds.

First discovered in 2012, the Trojan initially infected thousands of Turkish computers. Once it was discovered, the original source code for the malware was leaked online and has since undergone various revisions, making it much more difficult for financial institutions to detect.

Tinba is a modified version of ZeuS Trojan, which used a similar attack mechanism, but the main difference is that Tinba is much smaller in size. Smaller malware is much harder to detect. Tinba is the smallest known Trojan at just 20KB.

Impact of the Tinba Trojan

TBT created a serious problem for systems infected with this malware. It has infected more than 20 major US banking institutions.

Tiny Banker infects systems and browsers in a variety of ways and stores data sent to and from banking sites. When a user logs onto a banking website, a malicious pop-up window appears asking for login credentials using the original logo and name of the actual site.

Tiny Banker’s source code has been published online, with new malware iterations continuing to emerge. Since its peak in 2016, it is considered one of the most destructive malware strains affecting the banking industry, and it has impacted the way online banking works ever since.

How the Tinba Banking Trojan Works

Infected websites can distribute Tiny Banker, with victims lured via phishing emails and fraudulent advertising content. When a vulnerable system runs Tinba, it replicates it under the name bin.exe to the %AppData% folder.

Various versions of Tinba ended up in different folders—variants created folders with randomly generated names based on information about the infected system. Tinba encrypts its memory usage to avoid detection.

When an infected system restarts, bin.exe runs and Tiny Banker persists on the computer. Tinba can modify web browsers such as Explorer and Firefox, disabling warning messages and enabling HTTP content to be displayed on HTTPS websites without prompts. Tiny Banker targets processes such as explorer.exe and svchost.exe on Windows, as well as other running processes.

TBT encrypts its communications with command and control servers and maintains availability by using four C&C domains. It has local config files it can use when unable to connect to a server.

How Tinba Performs Man in the Browser Attacks

Man-in-the-Browser attacks use form grabs to intercept keystrokes, before they are transmitted to the website over the encrypted HTTPS protocol. This effectively bypasses HTTPS and allows the attacker to steal the user’s data.

Tinba comes with a web injection component containing malicious JavaScript code. This is malware that can apply dynamic web injection to many online banking websites. The web injection component adapts to the exact look of the original website, making it difficult for users to spot.

The web injection mechanism displays misleading messages to the user, for example, that the financial institution needs them to re-enter their account details, and prompts them to enter sensitive data to verify their identity. Users are asked not only for financial information, such as bank account or credit card data, but also identification information like social security numbers. Additionally, users are asked for information about common security questions, like their mother’s maiden name.

The threat actor can then use browser man in the middle (MitM) attacks to transmit the victim’s available balance to so-called “cash mules”. These are third parties who withdraw funds, and send them to threat actors in an untraceable manner, in exchange for a commission.

Tiny Banker Trojan Removal

If Tiny Banker is present on the system, it may cause browser issues or make the system crash. Typically, a pop-up message pretending to be from the bank asks the user to take unusual action, such as entering sensitive information. It may also tell the user that funds have been deposited into their account by mistake, and they must return the funds immediately.

The most common ways Tinba infects a system are when users download free software from unfamiliar websites, click on infected links or attachments in phishing emails, click on pop-up ads, or download content from the dark web or torrent files.

Cleaning up Tiny Banker can be difficult because it injects malicious code into legitimate processes. There are two main options for removing the trojan:

  1. Most major anti-malware companies offer Tiny Banker cleaners.
  2. You can use a full system state backup to restore to a time before infection. However, this is a risky path—choosing a restore point can be difficult as a Tinba infection may not be immediately obvious. Also, any changes made since the restore point will be lost.

User Education: How Users Can Prevent Banking Trojans

Banking trojans are an extremely stealthy form of malware. When a banking trojan infects a user’s PC or web browser, it goes dormant and waits for them to access an online banking website. When the user does this, the Trojan is activated, uses a keylogger to steal the username and password of the account, and secretly sends it to the attackers.

As the threat of theft via banking trojans increases, there are a number of ways that users can protect themselves:

  • Watching out for phishing emails—when opening an email from an untrusted source, or emails from a trusted source that contain unusual content or requests, users should not click links, execute files, or open Microsoft Office documents.
  • Using security solutions on the local device—modern security solutions can protect users from malware and other attack vectors. A good security solution can effectively detect and block banking trojans, by detecting and blocking malicious content in files or phishing messages. Even if users browse the web on a personal device, they should deploy well-known, effective anti-malware solutions.
  • Unusual behavior on banking sites—users should look out for suspicious activity from banking and financial services websites. They should pay special attention to new login fields they haven’t seen before, especially when they request personal data. Users should consider what the bank typically does not ask for, and look for small flaws or changes in the website design or display.
  • Install mobile applications from trusted sources—this is especially important for banking applications. Downloading apps from known and trusted sources such as Google Play and Apple App Store doesn’t guarantee users won’t download malicious applications, but it will protect them from most threats.
  • Back up important files—users should make offline copies of their most important files on external devices or cloud storage services. Today’s common banking trojans distribute other malicious software such as ransomware after their initial phase, which can deny users access to their files.

Imperva Application Security

Imperva provides Runtime Application Self-Protection (RASP) – real-time attack detection and prevention from your application runtime environment. Stop external attacks and web injections, including banker trojan and man in the browser attacks, and reduce your vulnerability backlog.

Beyond web injection protection, Imperva provides comprehensive protection for applications, APIs, and microservices:

Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.

API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.