This time we will write about a campaign targeting customers of Polish financial institutions. The Trojan is spread by email attachments pretending to be pictures. The examples of email headers are shown in the following image.
In fact, there are executable files in the zip attachments - IMG-0084(JPEG).JPEG.exe, fotka 1.jpeg.exe. The interesting thing is that the binary looks almost like regular WinObj tool from Systernals, however there are differences: The original version of WinObj has a valid digital signature. The malware doesn't have any.
The most significant difference is in the payload that replaced the original code. It is the same until a VA 0x414923 is reached where the original code is replaced by a malicious one, as you can see on the following image.
There are some modifications in Tiny Banker including anti-debug tricks, however the encryption remains the same RC4 with a hard-coded password.
Using the RC4 algorithm with the hard-coded password we were able to get the configuration file for the Banker.
The configuration file provided us with information about the targeted financial institutions in Poland.
Avast customers are protected by the following detections: Win32:Kryptik-PMD [Trj] Win32:Kryptik-PME [Trj]
Malware spreading by email scams is pretty common. Malware authors use Tiny Banker to target multiple customers of financial institutions around the world. They used a regular binary this time and replaced original code with their payload.