Security vendor F5 Networks have detected what they say is the fifth variant of the Tinba banking trojan, which appears to be specifically targeting banks in the Asia-Pacific region, particularly those in Singapore (Tinba-pore, get it?) and Indonesia, as well as going after banks in other parts of the world.
F5 detected the new variant thanks to the behavioral monitoring capabilities of its products, which is able to pick up on differences between legitimate transactions and potentially fraudulent ones being issues by the malware. F5′s products then add to the bank’s other mechanisms for detecting fraud (such as noticing that you just used an ATM in New York, so why is your credit card being used in a shop in Paris five minutes later?) which can stop, or at least limit, the amount of fraud.
Also known as Tinybanker, Zusy, or HμNT€R$, the malware source code was leaked in 2014. It was noted for being very small, about 20KB, and for being written in assembly language, rather than a higher level language like C.
The Tinbapore malware infects computers using standard phishing attacks: fake emails dressed up to look like a legitimate email entice users to click on an attachment, which installs the malware on their PC. This malware specifically targets Windows PCs, embedding itself into four libraries, and running its own browser in the background, from which is launches its attack.
When users access their bank, the malware starts to do its nefarious work, funneling money to accounts controlled by the criminals responsible for the malware.
Benn Alp, a Solution Architect from F5, told me that malware like this is becoming increasingly sophisticated. The infection emails are sometimes targeted at businesses or high net-worth individuals, who are likely to have bigger bank balances to steal. “Because the potential payback, the level of sophistication once they’ve infected a system is very, very high,” Alp says.