The Tinba Trojan aka Tiny Banker targeted Czech bank customers this summer; now it’s gone global.
After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.
In comparison with our previous blogpost, Tinybanker Trojan targets banking customers, this variant has some differences, which we will describe later.
How does Tiny Banker work?
- 1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
- 2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
- 3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
- 4. If he/she confirms the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.
Ransomware steals email addresses and passwords; spreads to contacts.
Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.
The files have .btc attachment, but they are regular executable files.
coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication
After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.
The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful.
The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer. This addition affects more than 110 applications and turns your computer to a botnet client.
Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.
Pony stealer module
Reveton use one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.
Tinba Trojan specifically targets bank customers with deceitful debt notice.
The Tinba Trojan is banking malware that uses a social engineering technique called spearfishing to target its victims. Recently, targets have been banking customers in Czech Republic, AVAST Software’s home country. Tinba, aka Tiny Banker or Tinybanker, was first reported in 2012 where it was active in Turkey. A whitepaper analyzing its functionality is available here (PDF). However, the spam campaigns against bank users in Czech Republic are still going on and have became more intensive. Here is an example of what Czech customers recently found in their email inbox.
VÝZVA K ÚHRADĚ DLUŽNÉHO PLNĚNÍ PŘED PROVEDENÍM EXEKUCE
Soudní exekutor Mgr. Bednář, Richard, Exekutorský úřad Praha-2, IČ 51736937, se sídlem Kateřinská 13, 184 00 Praha 2
pověřený provedením exekuce: č.j. 10 EXE 197/2014 -17, na základě exekučního titulu: Příkaz č.j. 077209/2014-567/Čen/G V.vyř.,
vás ve smyslu §46 odst. 6 z. č. 120/2001 Sb. (exekuční řád) v platném znění vyzývá k splnění označených povinností, které ukládá exekuční titul, jakož i povinnosti uhradit náklady na nařízení exekuce a odměnu soudního exekutora, stejně ták, jako zálohu na náklady exekuce a odměnu soudního exekutora:
Peněžitý nárok oprávněného včetně nákladu k dnešnímu dni: 9 027,00 Kč
Záloha na odměnu exekutora (peněžité plnění): 1 167,00 Kč včetně DPH 21%
Náklady exekuce paušálem: 4 616,00 Kč včetně DPH 21%
Pro splnění veškerých povinností je třeba uhradit na účet soudního exekutora (č.ú. 549410655/5000, variabilní symbol 82797754, ČSOB a.s.), ve lhůtě 15 dnů od
doručení této výzvy 14 810,00 Kč
Nebude-li uvedená částka uhrazena ve lhůtě 15 dnů od doručení této výzvy, bude i provedena exekuce majetku a/nebo zablokován bankovní účet povinného ve smyslu § 44a odst. 1 EŘ a podle § 47 odst. 4 EŘ. Až do okamžiku splnění povinnosti.
Příkaz k úhradě, vyrozumění o zahájení exekuce a vypučet povinnosti najdete v přiložených souborech.
Za správnost vyhotovení Alexey Mishkel
Bailiff [Academic title] [First name] [Last name], Distraint office Prague-2 ID: 51736937 at Katerinska 13, 184 00 Prague 2 was authorized to proceed the execution 10 EXE 197/2014 -17 based on execution Order 077209/2014-567/Cen/G according to §46 paragraph 4, 120/2001 law collection in valid form which impose you to pay these costs:
Debt amount: 9,027.00 CZK ($445.00)
Distraint reward: 1,167 including 21% TAX
Fixed costs: 4,616 CZK including 21% TAX
Total: 14,810 CZK ($730.00)
To bank account 549410655/5000, variable symbol 82797754, CSOB a.s.
For the correctness of the copy warrants Alexey Mishkel
Using the spearfishing social engineering tactic, the attackers attempt to scare their victims with a specially designed email message explaining that a debt exists which needs to be paid.
avast! Mobile Security protects from an Android flaw which leaves nearly all new smartphones and tablets vulnerable to attack.
Last week, a wave of articles about a newly discovered Android security flaw flooded the Internet. They sounded a warning, similar to this:
“A flaw in the Android operating system may leave many Android phones and tablets vulnerable to attack, including the Samsung Galaxy S5 and Google’s own Nexus 5,” reported Jill Scharr in a Tom’s Guide article.
Our Virus Lab did not waste time and started preparing for the inevitable attacks. AVAST researchers dug into the subject looking for malware to make sure that avast! Mobile Security is ready to protect our users. If you are an avast! user and your tablet or smartphone is protected by avast! Mobile Security, you are protected.
“Even though TowelRoot is not malicious itself, it may be misused as an exploit kit. Generally, TowelRoot can be used as a delivery package for malicious applications,” explained Filip Chytry, an AVAST Virus Lab expert on mobile malware. “It’s capable of misusing a mistake in Android code which allows attackers to get full control over your Android device. TowelRoot itself is more a proof-of-concept, but in the hands of bad guys, it can be misused really quickly. For this reason we added it to our virus signatures, so Avast detects it as Android:TowelExploit.”
Android has not made an official statement on the security flaw, however our researchers confirm that even the latest versions of the operating system are exposed (version 4 and all higher). It is very likely that versions 3.0 can be attacked, too. For those who just purchased an Android device or don’t have protection yet, we strongly recommend that you install avast! Mobile Security, before taking any further actions. Despite the fact that some of the mobile providers claim that their devices are immune to this particular Android exploit, it is highly risky to leave your device unprotected.
What is the TowelRoot Android vulnerability?
Earlier this month a security flaw in Linux, the operating system which Android is based upon, was discovered by a young hacker known as “Pinkie Pie.” Soon afterwards, a gifted teenager, notable because he was the first to unlock the unlockable – an iPhone at the age of 17, prepared a tool kit for potential hackers. Its instructions are available publicly to “purchase,” allowing even less advanced programmers to write a script that will use the exploit.
The potential exists for hackers to take full control; to simply root your device. So far the AVAST Virus Lab has not observed any massive attack, however knowing about the potential risk, our Virus Lab is ready for the attack. avast! Mobile Security is capable of discovering different variations of malware code required to exploit the bug.
Who is exposed and how to protect yourself?
Basically everyone who owns an Android device without proper antivirus protection, tablet or mobile phone, with any version of Android OS, including the newest one is at risk for malware.
In order to prevent this exploit, or any other malware attack, once you purchase your device, we advise to install antivirus first, before installing any apps, importing contacts, or starting to browse online. Our avast! Free Mobile security, as well as its Premium version are available to download and install from Google Play.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
Hackers use weak passwords just like the rest of us.
Nearly two thousand passwords used by hackers were leaked this week, when I tried to decode a PHP shell without knowing the key. Because I did not know the exact content of the encoded file and searching the key could take me years, I chose a different approach. I decided to find out how strong passwords used by hackers are and create a dictionary.
Over the years of fighting malware, the avast! Virus Lab has gathered many samples of various back-doors, bots and shells. Some of them are protected with a password encoded in MD5, SHA1 or in plain text, so it was good way to start. I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes. I created statistics from those words, and here are my findings.
About 10% of the passwords were beyond normal capabilities of guessing or cracking. Of those, I found words as long as 75 characters, probably generated by a computer. Some of them were in long sentence form mixed with special characters such as lol dont try cracking 12 char+. Too bad it was stored in plain text.
There were also passwords that don’t use characters from an English keyboard. But there was still a 90% chance it could be a normal word, maybe with some number in it. No less than 9% of the passwords could be found in an English dictionary.
The table on the right shows which characters are used in hackers’ passwords. The first row means that 58% of passwords contained only lower-case alphabet characters a-z. Read more…
A new Android mobile Trojan called SimplLocker has emerged from a rather shady Russian forum, encrypting files for ransom. AVAST detects the Trojan as Android:Simplocker, avast! Mobile Security and avast! Mobile Premium users can breathe a sigh of relief; we protect from it!
The Trojan was discovered on an underground Russian forum by security researchers at ESET. The Trojan is disguised as an app suitable for adults only. Once downloaded, the Trojan scans the device’s SD card for images, documents and videos, encrypting them using Advanced Encryption Standard (AES). The Trojan then displays a message in Russian, warning the victim that their phone has been locked, and accusing the victim of having viewed and downloaded child pornography. The Trojan demands a $21 ransom be paid in Ukrainian currency within 24 hours, claiming it will delete all the files it has encrypted if it does not receive the ransom. Nikolaos Chrysaidos, Android Malware Analyst at AVAST, found that the malware will not delete any of the encrypted files, because it doesn’t have the functionality to do so. Targets cannot escape the message unless they deposit the ransom at a payment kiosk using MoneXy. If the ransom is paid the malware waits for a command from its command and control server (C&C) to decrypt the files.
What can we learn from this?
Although this Trojan only targets a specific region and is not available on the Google Play Store, it should not be taken lightly. This is just the beginning of mobile malware, and is thought to be a proof-of-concept. Mobile ransomware especially is predicted to become more and more popular. Once malware writers have more practice, see that they can get easy money from methods like this, they will become very greedy and sneaky.
We can only speculate about methods they will come up with to eventually get their malicious apps onto official markets, such as Google Play, or even take more advantage of alternative outlets such as mobile browsers and email attachments. It is therefore imperative that people download antivirus protection for their smartphones and tablets. Mobile devices contain massive amounts of valuable data and are therefore a major target.
Ransomware can be an effective method for criminals to exploit vulnerable mobile users, many of which don’t back up their data. Just as in ransomware targeting PCs, this makes the threat of losing sentimental data, such as photos of family and friends or official documents, immense.
Don’t give cybercriminals a chance. Protect yourself by downloading avast! Mobile Security for FREE.
The path from the creation of malicious program to its delivery onto victims’ computers is long nowadays and involves many different players with the same goal – to make a financial gain. Malware authors usually offer their software to cyber criminals who in turn distribute it via underground forums. This is the how they keep their anonymous status. We have previously seen many famous malicious programs start this way.
In the past, the Russian banking Trojan Carberp was heavily advertised on shady forums. In the beginning of the year, an attempt to sell a new ransomware called Prison Locker was reported. Last year, we blogged about Trojan Solarbot which choose to promote itself through a well- designed website, appearing very official.
However, we don’t always know all the details about every piece of malware, from the code to how it is being distributed. The Trojan dubbed i2Ninja, for example, made headlines last year, but we never received a real sample containing all the functionalities the media reported on. Or do you remember the Hand of Thief Trojan for Linux desktops? Its variant for the Android platform was also advertised, but again, we never encountered it in our Virus Lab. These advertisements could have lacked the real code behind them or may have gone under in the pile of cyberthreats.
In March 2013 a new banking Trojan dubbed Minerva was introduced on a Russian forum. We will see that it is awfully successful in what it promised to do. Read more…
The World Cup in Brazil is just two weeks away, are you in the soccer spirit? The AVAST mobile malware team and I have tournament fever and have been downloading games and other soccer related apps from the Google Play store. We unfortunately noticed that some of the fun apps we downloaded weren’t as entertaining as we thought they would be…
AVAST detects fake soccer gaming app: Android:FakeViSport
Some of the Android gaming apps we downloaded primarily displayed ads instead of letting us play. Let me just point out a few from many. We were unable to play Corner Kick World Cup 2014 at all because it displayed nothing but a white screen, with ads popping up now and then. This app struck me as odd from the get go. When I checked the size of the app I noticed it was really tiny, less than 1MB. What kind of game can you expect from an app this size?! What is even more interesting is that the game is made by a developer called VinoSports. If you check the rest of his apps offered on Google Play they are all the same – just blank applications stuffed with advertisements.
This is unfortunately a quite common and sneaky way for developers to make some money. With applications like this, the only person who benefits from them are the developers. They may get some money if you actually click on the ads their apps display. We decided to block apps from VinoSports. From now on, they will be detected as Android:FakeViSport. They are fake applications in that they pretend to be something desirable, but they aren’t.
Some apps are in the gray zone
The second app I would like to mention is Fifa 2014 Free – World Cup. The app comes from a pretty big developer, “Top Game Kingdom LLC”, who has plenty of apps on Google Play and other stores. This however does not mean the app should be trusted. Fifa 2014 Free – World Cup, can be considered, at the very least, suspicious.
As for the app Football World Cup 14: The application’s installation package name doesn’t have anything to do with the name of the app itself. The app is called Football World Cup 14, yet its installation package is called “com.topgame.widereceiverfree”.Football World Cup 14, also known as “Widereceiverfree” requests access to information that has nothing to do with the app’s function, like location, call log, and to other accounts on the phone.
Weirdly enough the Football World Cup 14′s developer has even more applications on the market, most of them behave similarly. They pretend to be something different than what they really are. In the end you might get something that can be considered a game, a game with plenty of obstacles such as and with permissions that could easily misuse personal information.
Apps that display ads are not necessarily malicious. Plenty of apps, especially free apps, are funded by ads. They can, however, be annoying, particularly when they don’t go away and prevent you from using the app itself. Apps that access more information from your phone than they need to function seem harmless, especially since there is no visible evidence of this happening, but they can cause more harm than you may think.
We recommend you to take a closer look at the apps you download during tournament time, be it gaming apps, live streaming apps or apps that allow you to bet for your national team, to make sure you stay safe and as ad free as possible!
Things to look out for when downloading apps:
- Make sure you download from official apps markets. Many of our mobile malware samples come from unofficial app markets, only very few come from the official Google Play store.
- Download official apps you can trust. Google Play is an open and developer friendly platform, which is why it contains a plethora of apps. We totally understand why people are sometimes overwhelmed with all the apps they can choose from, we found over 125 vuvuzela apps on Play! We recommend users play it safe and download official apps from developers they can trust. Trusted developers appreciate their users, meaning they want to provide them with a quality product, not one that is flooded with apps. FIFA has a great live score/news appand EA Sports has an official FIFA gaming app.
- Compare app functionalities to the access they request. Some apps need access to certain data on your device, a map app needs access to your location so it can give you directions. App access requests start becoming suspicious when for example your vuvuzela app wants access to your location. Unless your new vuvuzela app uses your location to determine what country you are in to then play your country’s national anthem, why does it need to know your location? Always be cautious when giving apps access and make sure the requests make sense depending on what the app does. You don’t want to carelessly hand over sensitive information that could later be used against you.
- Read user comments. You can’t always trust what people write online, but if multiple people really appreciate or dislike an app you can get a good idea of whether or not you should download it based on the feedback they give.
Our mobile security app avast! Mobile Premium has an Ad Detector feature. Ad Detector finds out which apps are linked to ad networks and provides details of their tracking system, so you have a full overview of all the ad networks contained within your apps.
You can download avast! Mobile Security for free from Google Play or for additional features, like Ad Detector, you can download avast! Mobile Premium for $1.99 a month.
avast! Virus Lab infographic shows how prolific and wide-spread Browser Ransomware attacks have been over the last three months.
During December I wrote about the tricks and tactics of Browser Ransomware. Browser Ransomware is malware that works in different types of browsers to prevent people from using their PCs. To get access back to their own PC, the victim of this malware must pay a ransom to unblock it. The key to success for this attack is its translations into many different languages, giving the cybercrooks a bigger pool of potential victims.
Today I would like to look back on Browser Ransomware attacks and share some data from our avast! CommunityIQ with you.
We detect Ransomware attacks using several different methods. The detections I checked were created January 30, 2014. I was really surprised at the huge impact this attack has had on AVAST users.
- In a little under 3 months, AVAST protected more than a half million unique users around the world from Ransomware attacks.
- In the past 6 weeks, AVAST users have unknowingly visited a site with Ransomware on it over 18 million times.
- During last 24 hours, AVAST stopped redirection from infected sites to sites hosting Ransomware for more than 18,000 unique users. Read more…