Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


July 17th, 2014

Tinybanker Trojan targets banking customers

Tinba Trojan specifically targets bank customers with deceitful debt notice.

The Tinba Trojan is banking malware that uses a social engineering technique called spearfishing to target its victims. Recently, targets have been banking customers in Czech Republic, AVAST Software’s home country. Tinba, aka Tiny Banker or Tinybanker,  was first reported in 2012 where it was active in Turkey. A whitepaper analyzing its functionality is available here (PDF). However, the spam campaigns against bank users in Czech Republic are still going on and have became more intensive. Here is an example of what Czech customers recently found in their email inbox.

Czech version:

VÝZVA K ÚHRADĚ DLUŽNÉHO PLNĚNÍ PŘED PROVEDENÍM EXEKUCE

Soudní exekutor Mgr. Bednář, Richard, Exekutorský úřad Praha-2, IČ 51736937, se sídlem Kateřinská 13, 184 00 Praha 2
pověřený provedením exekuce: č.j. 10 EXE 197/2014 -17, na základě exekučního titulu: Příkaz č.j. 077209/2014-567/Čen/G V.vyř.,
vás ve smyslu §46 odst. 6 z. č. 120/2001 Sb. (exekuční řád) v platném znění vyzývá k splnění označených povinností, které ukládá exekuční titul, jakož i povinnosti uhradit náklady na nařízení exekuce a odměnu soudního exekutora, stejně ták, jako zálohu na náklady exekuce a odměnu soudního exekutora:

Peněžitý nárok oprávněného včetně nákladu k dnešnímu dni: 9 027,00 Kč
Záloha na odměnu exekutora (peněžité plnění): 1 167,00 Kč včetně DPH 21%
Náklady exekuce paušálem: 4 616,00 Kč včetně DPH 21%

Pro splnění veškerých povinností  je třeba uhradit na účet soudního exekutora (č.ú. 549410655/5000, variabilní symbol 82797754, ČSOB a.s.), ve lhůtě 15 dnů od
doručení této výzvy 14 810,00 Kč

Nebude-li  uvedená částka uhrazena ve lhůtě 15 dnů od doručení této výzvy, bude i provedena exekuce majetku a/nebo zablokován bankovní účet  povinného ve smyslu § 44a odst. 1 EŘ a podle § 47 odst. 4 EŘ. Až do okamžiku splnění povinnosti.

Příkaz k úhradě, vyrozumění o zahájení exekuce  a vypučet povinnosti najdete v přiložených souborech.

Za správnost vyhotovení Alexey Mishkel

 

English translation:

Distraint notice
———————
Bailiff [Academic title] [First name] [Last name], Distraint office Prague-2 ID: 51736937 at Katerinska 13, 184 00 Prague 2 was authorized to proceed the execution 10 EXE 197/2014 -17 based on execution Order 077209/2014-567/Cen/G according to §46 paragraph 4, 120/2001 law collection in valid form which impose you to pay these costs:

Debt amount: 9,027.00 CZK ($445.00)
Distraint reward: 1,167 including 21% TAX
Fixed costs: 4,616 CZK including 21% TAX
Total: 14,810 CZK ($730.00)

To bank account 549410655/5000, variable symbol 82797754, CSOB a.s.

For the correctness of the copy warrants Alexey Mishkel

Using the spearfishing social engineering tactic, the attackers attempt to scare their victims with a specially designed email message explaining that a debt exists which needs to be paid.

Details of the Tinba Banking Trojan threat

A file attached to the email is named prikaz0581762789F75478F.zip.  It contains an executable file prikaz-15.07.2014-signed_1295311881CC7544E.exe. Prikaz means order in the Czech language.

The executable file in the attachment is heavily obfuscated. After unpacking, it turns out that it is a downloader which downloads, unpacks, and executes the next stage of the threat. It also drops and opens a RTF file containing the above mentioned message.

The first stage was well described by colleagues from AVG in their blogpost.

The second stage is obfuscated with a similar custom packer as stage 1. The screenshot below shows a long spaghetti code, with EnumFontsA redirecting code flow to its callback.

screen01

screen02

Later on, the Tinba Banker gets decrypted and executed. We will not delve into details about this particular threat, because it is nothing new, however we are interested in the configuration file.

When transmitted, the data are encrypted with RC4 cipher with a hard-coded password, displayed in the figure below.
screen03

After the decryption, we get Tinba’s configuration file. We can clearly see that it targets the following Czech banks: Ceska Sporitelna, CSOB, Era and Fio.

screen03_config

Stealing of sensitive data runs through webinjects into original web-browser banking interfaces. The webinjects are downloaded from the bot’s C&C and come in a RC4-encrypted configuration file sharing format with the infamous Carberp and Spyeye banking Trojans. With every botuid (unique identifier associated with the user’s environment), an array of grabbed log in names with passwords are stored on a malicious server. Additional downloadable JavaScripts are associated with each webinject, e.g. scripts linked hXXps://andry-shop.com/gate/get_html.js; hXXps://andry-shop.com/csob/gate/get_html.js; resp. hXXps://yourfashionstore.net/panel/a5kGcvBqtV with Ceska Sporitelna, CSOB resp. FIO. The purpose of the latter ones are to redirect victims to a page offering various applications containing the string OTPdirekt.

Variants for Windows Phone, Blackberry and iPhone are offered, but it seems that the download is still not implemented. The only available application that provides pairing a personal computer with a mobile (and therefore serves for a multifactor authentication bypass) is an Android app.

In the figure below, you can see that the format of configuration file is compatible with tools related to banking Trojans Spyeye and Carberp.

tinba_fio_webinject

 

Screenshots below shows active webinjects on an infected machine.

tinba_fio2_webinject tinba_servis24_new_webinject

When the victim logs into their bank account, he/she is presented with the following message. This message says that two factor authentication via OTPDirekt application is needed. The user is asked to select the operating system of the smartphone.

screen04

In the case of Android, a picture with a QR code is presented. This QR code leads to the shortcut link, which redirects the user to the server with the Android application.

screen05
screen06

The shortened links leads to a “potentially problematic” link. If we ignore this warning, we get the malicious Android application.
screen07
screen09_cs

If the installation is successful,  “Thank you for using OTPdirekt application” is displayed to the victim.
screen08

If a user chooses any operating system except for Android, he is presented with the following message, translated as “Please try again later!”

screen10

The downloaded Android application was already detected by avast! as Android:Perkele-T.

Below we present screenshots of the fake Android apps.

csob_cs

fio_era

From the malicious code inserted into the internet banking website, we can deduce the following information. The comment “Instrukciya” is a Russian word, which means “instruction.” It is possible that Russian speaking individuals are behind this attack.

instrukciya

SMS messages from the infected phone are forwarded to the phone number, which is registered in the Astachan area, which is in the southern part of Russia.

russia_number
Malware tries to mask its activity by hiding already issued (illegal) transactions and the account balance. You can see that in the displayed snippet of the code.

tinba_replace

In the first phase of the spearfishing campaign, malware authors focused on bank customers with more than 70,000CZK (about $3,500) account balance. In the second phase, they focused on all customers, no matter what their account balance was. In the figure below, if the balance is below 70000 CZK, only information about the malware installation and account number was sent to C&C. In the other cases, information about account balance was sent, too. This part of code was finally commented out and replaced with the second variant.

min_balance

Conclusion

Social engineering is an effective method to deliver malicious code execution. The text was so persuasive that even a few people in our close neighborhood got infected.  Although banks have introduced multifactor authentication to protect their users, more advanced malware authors adapted their Trojans to bypass it.

 

SHAs:

Malicious Android apps

BFC6E1FA02459E3C35BD4D0EE3097E2E5D7B478A8F58AF76DDE0114CA2AE8945

C5265B8BAF76D0836AEBBD99C15307F7455ED38A0B7645E84DAE3CE4BF4B6A26

Zemot downloader (custom packed)

7D50FF2E235DCE7D0AB640A3519D025B0B67A45B81BEA1BC0FE98921B0A8044A

Zemot downloader (unpacked)

EABB8C0A1B76550215B228A8A0FDA2F4C7BA24BF30D17A9866A7EC931E228F1A

Tinba banker (custom packed)

F53C5C06FC96B965C473629F2FD7AB72E58CA188CF3889493D371A6436FEAA63

Tinba banker (unpacked)

0188D61BB9EB3EFA01D66EBC52B6E252D5636925488751018D9BCFC0DF467B40

C&Cs

picapicanet.net
picapicachu.com

Acknowledgement:

This analysis was done collaboratively by Jaromir Horejsi, Peter Kalnai, David Fiser and Jan Zika.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.