Tinba Malware: Domain Generation Algorithm Means New, Improved, and Persistent

Tinba, also known as "Tinybanker", "Zusy" and "HµNT€R$", is a banking Trojan.
October 15, 2014
2 min. read

Tinba, also known as "Tinybanker", "Zusy" and "HµNT€R$", is a banking Trojan that was first seen in the wild around May 2012. Its source code was leaked in July 2014. Cybercriminals customized the leaked code and created an even more sophisticated piece of malware that is being used to attack a large number of popular banking websites around the world.

The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine, so it can intercept HTTP requests and perform web injections.

The new and improved version contains a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down.

Upon execution, the malware initially infects the system by opening the winver.exe process, which is a legitimate windows applet that shows the Windows version, injecting itself into it, and propagating into Explorer.exe by creating Thread ID: 3460. Then, while operating through Explorer.exe, it writes itself as a bin.exe file in the C:\Documents and Settings\Administrator\Application Data\557CEB7B\ folder.

Tinba gains control over the system by hooking several functions inside the ntdll.dll library. The hooked functions are: NtCreateProcessEx, NtCreateThread, NtEnumerateValueKey, NtQueryDirectoryFile, and NtResumeThread.

In order to stay persistent in the system, the malware writes two autorun locations, making it start with Windows at boot. The autoruns are written into the registry in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE registry hives, under the Software\Microsoft\Windows\ CurrentVersion\Run\ key; both point to the malware executable at C:\Documents and Settings\Administrator\Application Data\557CEB7B\bin.exe.

To see the full version of this article, click "Download" below.

Join the Discussion
Authors & Contributors
Pavel Asinovsky (Author)
Malware Researcher

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read