Our ‘BlackBerry Cylance Versus’ series takes an in-depth look at malware from A to Z, from past to present, with a goal of throwing light on how and why threats that may have been active for years still work, and what we, as a security community, can do to combat them.

Tinba (aka. Tina or Zusy), which stands for “Tiny Banker”, is a banking Trojan that has targeted Windows computers since 2012. It is a famously small malware, file-wise, with a code base of 20 kB. It is specifically designed to target financial institutions. Tinba steals browsing data, login credentials, and other sensitive information by using Man-in-the-Browser (MitB) attacks.

Tinba performs code injections on running processes to hide itself and achieve persistence. In 2014 the source code for Tinba leaked on an underground cybercrime forum, giving threat actors worldwide access to this powerful malware.

Tinba Analyzed

Our analysis of Tinba was performed on the following hashes:

  • E7C0B1BD0DB584D82E3D77F283467C899656075189183B5A8F8431C458E60321
  • 0283798A83AA597BF15ED5A59C21E68D66F6789B2ACABBE87DCA9C089608B893
  • 83C2B35F72749433E76B16F25A1CA9715B55AA280FB5D158389EAFD17CD0D392

Code Features

The Tinba variants we analyzed have the product/project name “Dealhoya”. They are compiled with Visual Basic 6 which requires VB6 runtime to run. These variants attempt to camouflage themselves as a flash game. The file description reads “flash game Lucknow is the capital city of the state of Uttar” and the filename is FergusGamez.exe.

True to its reputation, the Tinba files are tiny, each weighing in at less than 100 kB. The malware files are highly obfuscated as shown in Figure 1:

Figure 1: Tinba’s obfuscated code

Evasion Technique

Tinba can detect and evade virtual environments by calling the following Windows APIs:

  • GetDiskFreeSpaceExW
  • GlobalMemoryStatusEx
  • GetAdaptersAddresses

Tinba also monitors user activity in the active window by calling GetForegroundWindow. These functions allow the malware to judge whether the platform is an analysis environment such as sandbox or debugger.

Code Injection

When Tinba executes it creates another process of itself. This second process launches a legit Windows application called winver.exe and injects the malicious code into it. Winver.exe is the standard program for displaying Windows version information.

The injected code checks for the presence of explorer.exe by finding the window with the Shell_TrayWnd class name. If found, the malware attempts to inject secondary code into explorer.exe. The secondary code also injects the main Tinba code into all active processes. When successful, this attack results in ten or more injected process running Tinba in their threads (See Figure 2):

Figure 2: Tinba execution flow

Dropping the EXE File

The infected explorer.exe serves as the main process of Tinba. It drops bin.exe into %AppData% and adds the following RUN key to achieve persistence:

Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\(random string)
Registry value: %AppData%\(random string)\bin.exe

The random string is eight alphanumeric characters ([0-9A-Z]{8} in regular expression) that are unique to each infected machine. Bin.exe is the polymorphic version of Tinba, which means the file hash differs for each infection. The malware also creates directories using the random string then sets the hidden attribute:

  • %AppData%\Local\Packages\windows_ie_ac_001\AC\(random string)
  • %AppData%\LocalLow\(random string)
  • %AppData%\(random string)

Command and Control (C2) Communication

Tinba connects to the C2 server to post the 157 bytes of encrypted system information using the HTTP POST method:

  • C2 URL: hxxp://recdataoneveter[.]cc/vet7sdfh678sdjjs7er0k/
  • DNS resolved IP address:  216[.]218[.]185[.]162

Figure 3: Tinba C2 protocol

Some variants of Tinba use DGA (Domain Generation Algorithm) domains. This process uses a hardcoded domain as the seed to generate short-lived DGA domains which obfuscate C2 communications. Tinba also uses Fast Flux domains where allocated IP address change frequently. In the above case, the server was not available at the time of our investigation because it was taken down.

When the C2 connection succeeds, Tinba downloads additional payloads like a browser injection module and a new banking target URL list. It will also install any pending updates.

MITB for Stealing Bank Account Credentials

The infected explorer.exe seeks out Internet Explorer and Firefox so Tinba can use Man-in-the-Browser (MitB) attacks to steal bank account information. Tinba targets accounts related to financial institutions, Google, Facebook, and Microsoft. Malicious code injected into the browser will monitor credential information as it is entered into login pages or steal it from the browser cache. Tinba encrypts stolen data with the RC4 algorithm and sends it to the C2 server.

Indicators of Compromise (IOCs)

  • Sample Hashes

  • Filenames
    o  FergusGamez.exe

  • C2s/IPs
    o  hxxp://recdataoneveter[.]cc/vet7sdfh678sdjjs7er0k/
    o  216[.]218[.]185[.]162    

  • Registry
    o  key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[0-9A-Z]{8}§ 
        •   value: %AppData%\[0-9A-Z]{8}\bin.exe

  • Create Folder
    o  %AppData%\Local\Packages\windows_ie_ac_001\AC\[0-9A-Z]{8}
    o  %AppData%\LocalLow\[0-9A-Z]{8}
    o  %AppData%\[0-9A-Z]{8}

BlackBerry Cylance Stops Tinba

Blackberry Cylance offers a predictive advantage over zero-day threats and is also effective against legacy malware like Tinba. Blackberry Cylance uses artificial intelligence (AI) agents trained for threat detection on millions of both safe and unsafe files. This allows BlackBerry Cylance prevent Tinba from executing based on the analysis of several malicious file attributes instead of a specific file signature.