Tinba is information stealing Trojan. The main purpose of the malware is to steal information that could be browsing data, login credentials, or even banking information. This is achieved through code injection into system process (Winver.exe and Explorer.exe) and installing hooks into various browsers like IExplorer, Chrome, Firefox and Opera.
Tinba has been known to arrive via spammed e-mail attachments and drive-by downloads. Recently, Angler Exploit Kit instances were also found to be serving Tinba banking Trojan.Detailed Analysis of Tinba
Tinba is packed with a custom packer and uses well known anti-debugging technique using the WinAPI function “IsDebuggerPresent” to hinder reverse engineering of the binary image. The execution flow of the infection cycle for Tinba is shown below.
|Execution flow of Tinba|
The image below shows the custom packer code being used by the Tinba sample we were looking at.
|Tinba unpacking Routine|
The unpacked binary image is shown below which upon execution will perform code injection into system processes like Winver.exe and Explorer.exe.
It generates Mutex name using root volume information of the victim’s machine as shown below.
Remote Thread in System Process
|Mutex name generation|
A remote thread is created inside Explorer process that is responsible for creating a copy of Tinba Binary in %APPDATA% & auto start registry entry in Registry hive.
|Explorer remote thread|
The Tinba binary is stored in a hidden folder which is created under %APPDATA% directory:
C:\Documents and setting \username \Application Data\mutexname\bin.exe
It also creates an auto-run registry entry to execute Tinba binary during every windows start-up as shown below:
|Auto start registry entry|
Another thread is also created in Explorer process which is responsible for generating DGA (Domain Generation Algorithm) domains and injecting code into browsers like IExplorer, Chrome, Firefox and Opera.
Domain Generation Algorithm
|Explorer local thread|
The following is the Domain Generation Algorithm (DGA) used by Tinba variant where every sample uses a hardcoded domain and seed to generate the DGA domains.
|DGA routine|| || |
|Hardcoded Domain and seed|
These DGA domains are fast flux domains where single domain is frequently switched to different IPs by registering it as part of the DNS A record list for a single domain.
Remote Thread in browsers
The Explorer thread searches for browser process either by checking path of the browser executable or by loaded application specific DLL (e.g. NSS3.dll for firefox.exe). If the targeted browser process is found, then the secondary thread is created in the process.
This thread is responsible to get updated Bot configuration details like Target URL list and strings (BOTUID ) from a remote C&C server. If there is no updated list of target URLs from C&C server, then it uses default targeted list of URLs which is stored in the injected code. The list of default target URLs after decryption is shown below.
|Default Targeted URL list|
The collected information form webmail, social media and the banking sites are stored in "log.dat" file.
C&C communication & Cryptography:
|Log file path|
The POST request to C&C server contains encrypted system information like system volume & version information. The cryptography routine is a simple byte 'XOR' with an 8 bit 'ROR' of the key after each write.
|Send Data Encryption|
A sample Tinba POST request to DGA domains with 157 bytes of encrypted data is shown below.
|C&C POST Request|
Geo distribution of C&C call back attempts that we blocked in past one month:
We have seen following C&C server IP addresses:Conclusion:
Tinba also known as small banking Trojan continues to be prevalent in the wild. The arrival method varies from e-mail spam, drive-by downloads and most recently Exploit Kit infection cycle. Zscaler ThreatlabZ is actively monitoring this malware family and ensuring coverage for our customers.