Tinba Trojan specifically targets bank customers with deceitful debt notice.
The Tinba Trojan is banking malware that uses a social engineering technique called spearfishing to target its victims. Recently, targets havebeen banking customers in Czech Republic, AVAST Software’s home country. Tinba, aka Tinybanker, was first reported in 2012 where it was active in Turkey. A whitepaper analyzing its functionality is available here (PDF). However, the spam campaigns against bank users in Czech Republic are still going on and have became more intensive. Here is an example of what Czech customers recently found in their email inbox.
Czech version:
VÝZVA K ÚHRAD? DLUŽNÉHO PLN?NÍ P?ED PROVEDENÍM EXEKUCE
Soudní exekutor Mgr. Bedná?, Richard, Exekutorský ú?ad Praha-2, I? 51736937, se sídlem Kate?inská 13, 184 00 Praha 2
pov??ený provedením exekuce: ?.j. 10 EXE 197/2014 -17, na základ? exeku?ního titulu: P?íkaz ?.j. 077209/2014-567/?en/G V.vy?.,
vás ve smyslu §46 odst. 6 z. ?. 120/2001 Sb. (exeku?ní ?ád) v platném zn?ní vyzývá k spln?ní ozna?ených povinností, které ukládá exeku?ní titul, jakož i povinnosti uhradit náklady na na?ízení exekuce a odm?nu soudního exekutora, stejn? ták, jako zálohu na náklady exekuce a odm?nu soudního exekutora:Pen?žitý nárok oprávn?ného v?etn? nákladu k dnešnímu dni: 9 027,00 K?
Záloha na odm?nu exekutora (pen?žité pln?ní): 1 167,00 K? v?etn? DPH 21%
Náklady exekuce paušálem: 4 616,00 K? v?etn? DPH 21%Pro spln?ní veškerých povinností je t?eba uhradit na ú?et soudního exekutora (?.ú. 549410655/5000, variabilní symbol 82797754, ?SOB a.s.), ve lh?t? 15 dn? od
doru?ení této výzvy 14 810,00 K?Nebude-li uvedená ?ástka uhrazena ve lh?t? 15 dn? od doru?ení této výzvy, bude i provedena exekuce majetku a/nebo zablokován bankovní ú?et povinného ve smyslu § 44a odst. 1 E? a podle § 47 odst. 4 E?. Až do okamžiku spln?ní povinnosti.
P?íkaz k úhrad?, vyrozum?ní o zahájení exekuce a vypu?et povinnosti najdete v p?iložených souborech.
Za správnost vyhotovení Alexey Mishkel
English translation:
Distraint notice
———————
Bailiff [Academic title] [First name] [Last name], Distraint office Prague-2 ID: 51736937 at Katerinska 13, 184 00 Prague 2 was authorized to proceed the execution 10 EXE 197/2014 -17 based on execution Order 077209/2014-567/Cen/G according to §46 paragraph 4, 120/2001 law collection in valid form which impose you to pay these costs:Debt amount: 9,027.00 CZK ($445.00)
Distraint reward: 1,167 including 21% TAX
Fixed costs: 4,616 CZK including 21% TAX
Total: 14,810 CZK ($730.00)To bank account 549410655/5000, variable symbol 82797754, CSOB a.s.
For the correctness of the copy warrants Alexey Mishkel
Using the spearfishing social engineering tactic, the attackers attempt to scare their victims with a specially designed email message explaining that there exists a debt which needs to be paid.
Details of the Tinba banking Trojan threat
A file attached to the email is named prikaz0581762789F75478F.zip. It contains an executable file prikaz-15.07.2014-signed_1295311881CC7544E.exe. Prikaz means order in the Czech language.
The executable file in the attachment is heavily obfuscated. After unpacking, it turns out that it is a downloader which downloads, unpacks, and executes the next stage of the threat. It also drops and opens a RTF file containing the above mentioned message.
The first stage was well described by colleagues from AVG in their blogpost.
The second stage is obfuscated with a similar custom packer as stage 1. The screenshot below shows a long spaghetti code, with EnumFontsA redirecting code flow to its callback.
Later on, the Tinba banker gets decrypted and executed. We will not delve into details about this particular threat, because it is nothing new, however we are interested in the configuration file.
When transmitted, the data are encrypted with RC4 cipher with a hard-coded password, displayed in the figure below.
After the decryption, we get Tinba‘s configuration file. We can clearly see that it targets the following Czech banks: Ceska Sporitelna, CSOB, Era and Fio.
Stealing of sensitive data runs through webinjects into original web-browser banking interfaces. The webinjects are downloaded from the bot’s C&C and come in a RC4-encrypted configuration file sharing format with the infamous Carberp and Spyeye banking Trojans. With every botuid (unique identifier associated with the user’s environment), an array of grabbed log in names with passwords are stored on a malicious server. Additional downloadable JavaScripts are associated with each webinject, e.g. scripts linked hXXps://andry-shop.com/gate/get_html.js; hXXps://andry-shop.com/csob/gate/get_html.js; resp. hXXps://yourfashionstore.net/panel/a5kGcvBqtV with Ceska Sporitelna, CSOB resp. FIO. The purpose of the latter ones are to redirect victims to a page offering various applications containing the string OTPdirekt.
Variants for Windows Phone, Blackberry and iPhone are offered, but it seems that the download is still not implemented. The only available application that provides pairing a personal computer with a mobile (and therefore serves for a multi-factor authentication bypass) is an Android app.
In the figure below, you can see that the format of configuration file is compatible with tools related to banking Trojans Spyeye and Carberp.
Screenshots below shows active webinjects on an infected machine.
When the victim logs into their bank account, he/she is presented with the following message. This message says that two factor authentication via OTPDirekt application is needed. The user is asked to select the operating system of the smartphone.
In the case of Android, a picture with a QR code is presented. This QR code leads to the shortcut link, which redirects the user to the server with the Android application.
The shortened links leads to a “potentially problematic” link. If we ignore this warning, we get the malicious Android application.
If the installation is successful, “Thank you for using OTPdirekt application” is displayed to the victim.
If a user chooses any operating system except for Android, he is presented with the following message, translated as “Please try again later!”
The downloaded Android application was already detected by avast! as Android:Perkele-T.
Below we present screenshots of the fake Android apps.
From the malicous code inserted into the internet banking webstite, we can deduce the following information. The comment “Instrukciya” is a Russian word, which means “instruction”. It is possible that Russian speaking individuals are behind this attack.
SMS messages from the infected phone are forwarded to the phone number, which is registered in the Astachan area, which is in the southern part of Russia.
Malware tries to mask its activity by hiding already issued (illegal) transactions and the account balance. You can see that in the displayed snippet of the code.
In the first phase of the spearfishing campaign, malware authors focused on bank customers with more than 70,000CZK (about $3,500) account balance. In the second phase, they focused on all customers, no matter what their account balance was. In the figure below, if the balance is below 70000 CZK, only information about the malware installation and account number was sent to C&C. In the other cases, information about account balance was sent, too. This part of code was finally commented out and replaced with the second variant.
Conclusion
Social engineering is an effective method to deliver malicious code execution. The text was so persuasive that even a few people in our close neighborhood got infected. Although banks have introduced multi-factor authentication to protect their users, more advanced malware authors adapted their Trojans to bypass it.
SHAs:
Malicious Android apps
BFC6E1FA02459E3C35BD4D0EE3097E2E5D7B478A8F58AF76DDE0114CA2AE8945
C5265B8BAF76D0836AEBBD99C15307F7455ED38A0B7645E84DAE3CE4BF4B6A26
Zemot downloader (custom packed)
7D50FF2E235DCE7D0AB640A3519D025B0B67A45B81BEA1BC0FE98921B0A8044A
Zemot downloader (unpacked)
EABB8C0A1B76550215B228A8A0FDA2F4C7BA24BF30D17A9866A7EC931E228F1A
Tinba banker (custom packed)
F53C5C06FC96B965C473629F2FD7AB72E58CA188CF3889493D371A6436FEAA63
Tinba banker (unpacked)
0188D61BB9EB3EFA01D66EBC52B6E252D5636925488751018D9BCFC0DF467B40
C&Cs
picapicanet.net
picapicachu.com
Acknowledgement:
This analysis was done collaboratively by Jaromir Horejsi, Peter Kalnai, David Fiser and Jan Zika.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.