October 15, 2014

Tinba Malware: Domain Generation Algorithm Means New, Improved, and Persistent

2 min. read


Tinba, also known as "Tinybanker", "Zusy" and "HµNT€R$", is a banking Trojan that was first seen in the wild around May 2012. Its source code was leaked in July 2014. Cybercriminals customized the leaked code and created an even more sophisticated piece of malware that is being used to attack a large number of popular banking websites around the world.

The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine, so it can intercept HTTP requests and perform web injections.

The new and improved version contains a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down.

Upon execution, the malware initially infects the system by opening the winver.exe process, which is a legitimate windows applet that shows the Windows version, injecting itself into it, and propagating into Explorer.exe by creating Thread ID: 3460. Then, while operating through Explorer.exe, it writes itself as a bin.exe file in the C:\Documents and Settings\Administrator\Application Data\557CEB7B\ folder.

Tinba gains control over the system by hooking several functions inside the ntdll.dll library. The hooked functions are: NtCreateProcessEx, NtCreateThread, NtEnumerateValueKey, NtQueryDirectoryFile, and NtResumeThread.

In order to stay persistent in the system, the malware writes two autorun locations, making it start with Windows at boot. The autoruns are written into the registry in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE registry hives, under the Software\Microsoft\Windows\ CurrentVersion\Run\ key; both point to the malware executable at C:\Documents and Settings\Administrator\Application Data\557CEB7B\bin.exe.

To see the full version of this report, click "Download" below.



Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.