In July 2014, the original source code of Tinba was made public in an underground forum. This leaked version comes with complete documentation and full source code. This follows other source code leaks from much more infamous and prevalent threats, which researchers worry that attackers could use as the basis for new versions. Similar to what happened with the 2011 Zeus source code leak that then lead to the creation of Citadel.
Tinba’s New Tricks
Well worry no more. Indeed a new version of Tinba has been discovered by Seculert’s Research Lab. This version of the “tiny banker” a.k.a. Tinba trojan boasts some pretty potent features, including new detection evasion tactics. The main changes in this version include the ability to target 64 bit operating systems and new DGA (domain generating algorithm) capabilities. Additionally, we are seeing the use of both signed and unsigned executables.
64 Bit OS Become Fair Game
Upon installation, Tinba’s dropper will try to establish itself on the system by executing its main code inside explorer.exe. This is done in two steps:
- Executing winver.exe and injecting its code into it
- From inside winver.exe Tinba will find explorer.exe and continue to inject its code there.
Figure 2: Executable according to bitness inside winver.exe
In the original version of Tinba, the malware did not support code injection into 64 bit processes. In this new version, Tinba’s developer(s) enabled the malware to work on 64 bit operating systems with 64 bit processes, which helps them target more machines and expand the information stealing capabilities.
Tinba will choose the right execution path for underlying OS during winver.exe stage (F.1)
- The process execution subsystem is examined by checking the code segment register (CS)
- 0x1B – 32 bit
- 0×23 – WOW64
- 0×33 – 64 bit
- If 64 bit OS identified, it will jump to its 64 bit code intermediate stage which will find the 64bit CreateRemoteThread version in kernelbase.dll and start itself inside explorer.exe
This technique for combining 32/64 bit code in the same executable is not new and exists at least as far back as 2011. But what Seculert’s researchers do see, is that more and more malware families are adding support for 64 bit code injection/execution. It is also worth noting that increasingly browsers are using mainly 64 bit.
Hard Core and Hard Coded
Tinba’s Domain Generation Algorithm (DGA) seems to be different from DGAs we have seen in other malware families to date. Every sample has one hard coded domain (C&C) and a seed. These parameters are fed into the DGA producing 1000 domains unique to that sample. This makes it easier to generate a variety of new domains, helping the malware avoid detection.
Tinba’s DGA works as follows:
is_connected = false
while(!is_connected)
{
current_domain = hard_coded_domain
loop_size = 1000
while (loop_size > 0)
{
seed = 0
for (i = 0; i < 16; i++)
seed += seed_data[i]
for (i = 0; i < 12; i++)
{
while (true)
{
current_domain[i] = (seed ^ current_domain[i]) + current_domain[i + 1]
if (current_domain[i] not between 'a' and 'z')
seed++
else
break
}
}
if (connect_to_c2(current_domain + TLD))
{
is_connected = true
break;
}
loop_size--
}
}
In the above code, you see that the TLD (.com, .ru, etc.) is hard-coded in the executable and is unique to that particular variant. The seed_data remains constant, while the current domain leading to a new domain every loop changes. There are only 1000 possible domains per variant. Once the maximum domain is reached, the algorithm moves to the next pair of parameters.
A Sign in the Samples
It seems intuitive that a signed executables would be less suspicious than unsigned. Our researchers have seen quite a few signed and unsigned samples which may be an indicator that the Tinba might be available as a kit for sale in the underground, or as malware-as-a-service like Carberp. Or, this is simply used as inspiration for new more malicious attacks. This presents the possibility that more than one group could be using the new version of the Tinba trojan. From what we have seen so far, Tinba seems active mainly in Germany and the Netherlands.
Figure 3: Signed executable certificate based on VirusTotal.com
Figure 4: Signed executable check base on SysInternals sigcheck.
So while the Tinba trojan has shown some ingenuity in its latest version, the good news is that Seculert customers are already protected from this threat
Contributors: Yevgeny Kulakov and Adi Raff
MD5s:
Signed file hash: 381676df05edaf34a88782131ef4ef3fde5cb58d656bc2184ffcf8209e7fedfb
Unsigned file hash: 0aca4efd69c9331751f0e9d13f434aa640a0f94eb1b522b5e4100aefc47670fb
The post Tiny Tinba Trojan Could Pose Big Threat appeared first on Seculert Blog on Advanced Threats and Cyber Security.
