Tinba : The Tiny Banker Trojan Compromising your Financial Accounts

What is Tinba Virus?

The Trojan virus infects end-user devices and offers to compromise their financial accounts and steal funds. Tiny Banker Trojan short form is Tinba, a malware program targeting financial institution websites. It is known for its small size but powerful abilities. A smaller virus is much harder to detect. Tinba is the smallest at just 20KB.

The primary purpose of the trojan is to steal information which could be browsing data, login credentials, and banking information. It was discovered in 2012, The Tinba virus, in the beginning, infected 1000 Turkish Computers. Once it was discovered, the source code for the virus was leaked out online and had undergone various revisions, making it quite difficult for financial institutions to find out.

What is the Impact of Tinba Virus?

Tiny Banker infects systems & browsers and stores information sent to and from banking sites. Once a user logs onto a banking website, a malicious pop-up window seems to pose for login credentials exploiting the initial brand and name of the particular website.

Tiny Banker's source code has been uploaded online, with new malware iterations continuing to emerge. Since its peak in 2016, it's been thought of as one of the harmful malware strains affecting the banking industry.

How does Tinba Banking virus works?

Infected websites will distribute Tiny Banker, with victims lured via phishing emails and fake advertising content. Once a vulnerable system runs Tinba, it replicates it underneath the name bin.exe to the %AppData% folder.

Various versions of Tinba find themselves in several folders—variants created folders with arbitrarily generated names supporting data concerning the infected system. Tinba encrypts the memory usage to avoid detection.

When the infected system restarts, bin.exe runs, and Tiny Banker persists on the pc. Tinba will modify internet browsers like person and Firefox, disabling warning messages and sanctioning HTTP content on HTTPS websites while not prompting. Small Banker targets processes like person.exe and svchost.exe on Windows as alternative running processes.
TBT encrypts its communications with command and management servers and maintains handiness by mistreatment of four C&C domains. It's native config files it will use once unable to attach to a server.

Performing Browser Attacks with Tinba Virus

The Browser attacks use kind grabs to intercept keystrokes before they're transmitted to the website over the encrypted HTTPS protocol. This effectively bypasses HTTPS and permits the wrongdoer to steal the user's knowledge.

Tinba comes with an internet injection element containing malicious JavaScript code. This is often malware that may apply dynamic internet injection to several online banking websites. The net injection element adapts precisely to the initial website's look, making it troublesome for users to identify.

The web injection mechanism displays dishonest messages to the user. For example, the financial organization wants them to enter their account details and prompts them to enter sensitive information to verify their identity. Users area units asked not just for money info, like checking account or MasterCard knowledge, however additionally identification info like Social Security numbers. To boot, users area units asked for common security queries, like their mother's family name.

The threat actor will then use browser man within the middle (MitM) attacks to transmit the victim's out there balance to questionable "cash mules' '. These area unit third parties withdraw funds and send them to threat actors in an untraceable manner in exchange for a commission.