Tiny Trojan Targets Turkish Users
Cybercrime gang tied to various nefarious and malicious activities now employing a powerful mini-Trojan
It's small -- as in 20 kilobytes small -- but the tiny banking Trojan based on the infamous BlackHole crimeware kit so far has infected more than 60,000 users in Turkey.
Trend Micro and CSIS Security Group have studied the so-called Tinba, Tinybanker, or Zusy malware,and say the information-stealing Trojan is similar to other malware variants with the same purpose. But its size is what sets it most apart: The tiny footprint helps it evade detection by antivirus engines.
More Security Insights
- Information Protection: The Impact Of Big Data
- Cloud-based data backup: A buyer's guide - How to choose a third-party provider for development, management of your data backup solution
- Informed CIO: SDN and Server Virtualization on a Collision Course
- InformationWeek 2013 IT Spending Priorities Survey
- The Untapped Potential of Mobile Apps for Commercial Customers
- Get Actionable Insight with Security Intelligence for Mainframe Environments
Tinba (as in TINy BAnker) targets Windows machines running Internet Explorer and Firefox, and can disable the Mozilla browser's warning page.
"The capabilities of this malware are broadly similar to other similarly sophisticated info-stealing malware families. Using web injects, it steals the login information from websites, particularly those located in Turkey. Some targets such as Facebook, GMX, Google, and Microsoft are hardcoded into the code of Tinba itself and are universally targeted by Tinba," Trend Micro said in a blog post today. "Other institutions are targeted based on downloaded configuration files; frequent targets include key government portals and Turkish banks/financial institutions."
Tinba appears to be the handiwork of a well-organized gang with ties to SpyEye, Zeus, Torpig and money mule operations, malicious website hosting, and pornographic sites. Trend Micro says the tiny Trojan's infrastructure is based in Russia and Lithuania. It piggybacks onto the browser and steals logins, sniffs network traffic, executes man-in-the-browser Web injection attacks, and bypasses two-factor authentication. Tinba also has been used with and other information-stealing malcode.
"It appears that the Tinba malware can be related to possibly stolen mail.ru contacts, a mule operation, a shady Web hosting provider, porn sites, and numerous other domains related to banker Trojans. CSIS and Trend Micro believe that the Tinba sample is part of a larger cyber crime gang. This is not likely to be the work of one or two people, but part of a bigger scheme. It is remarkable that this gang does not hesitate to attack Russian-speaking Internet users as well, which significantly increases the risk of apprehension (when the suspects are in Russia). As well as being traced to Russia, significant parts of the gangs' infrastructure have also been based in Lithuania," Trend and CSIS wrote in a white paper about the malware.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.