The Tiny Banker Trojan is spread by email attachments.
Tiny Banker aka Tinba Trojan made a name for itself targeting banking customers worldwide. The Avast Virus Lab first analyzed the malware found in the Czech Republic reported in this blog post, Tinybanker Trojan targets banking customers. It didn’t take long for the malware to spread globally attacking customers from various banking behemoths such as Bank of America, Wells Fargo, and RBC Royal Bank, which we wrote about in Tiny Banker Trojan targets customers of major banks worldwide.
This time we will write about a campaign targeting customers of Polish financial institutions. The Trojan is spread by email attachments pretending to be pictures. The examples of email headers are shown in the following image.
In fact, there are executable files in the zip attachments - IMG-0084(JPEG).JPEG.exe, fotka 1.jpeg.exe. The interesting thing is that the binary looks almost like regular WinObj tool from Systernals, however there are differences: The original version of WinObj has a valid digital signature. The malware doesn’t have any.
Most people want to stay on top of their bills, and not pay them late. But recently, unexpected emails claiming an overdue invoice have been showing up in people’s inboxes, causing anxiety and ultimately a malware attack. Read this report from the Avast Virus Lab, so as a consumer you’ll know what to look for, and as a systems administrator for an SMB or other website, you will know how cybercrooks can use your site for this type of social engineering scam.
Recently we saw an email campaign which attempted to convince people to pay an overdue invoice, as you can see on the following image. The user is asked to download an invoice from the attached link.
The downloaded file pretends to be a regular PDF file, however the filename “Total outstanding invoice pdf.com” is very suspicious.
When the user executes the malicious file, after a few unpacking procedures, it downloads the final vicious payload. The Avast Virus Lab has identified this payload as Pony Stealer, a well-known data-stealing Trojan which is responsible for stealing $220,000, as you can read here.
We followed the payload URL and discovered that it was downloaded from a hacked website. The interesting part is that we found a backdoor on that site allowing the attacker to take control of the entire website. As you can see, the attacker could create a new file and write any data to that file on the hacked website, for example, a malicious php script.
Because that website was unsecured, cybercrooks used it to place several Pony Stealer administration panels on it, including the original installation package, and some other malware samples as well. You can see an example of Pony Stealer panel’s help page written in the Russian language on the following picture.
Avast Virus Lab advises:
For Consumers: Use extreme caution if you see an email trying to convince you to pay money for non-ordered services. This use of “social engineering” is most likely fraudulent. Do not respond to these emails.
For SMBs: If you are a server administrator, please secure your server and follow the general security recommendations. As you learned from this article, you can be hacked and a backdoor can be put in your website allowing anyone to upload whatever he wants to your website. Protect yourself and your visitors!
SHA’s and detections:
Avast detections: Win32:Agent-AUKT, Win32:VB-AIUM
I would like to thank Jan Zíka for discovering this campaign.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
The Tinba Trojan aka Tiny Banker targeted Czech bank customers this summer; now it’s gone global.
After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.
In comparison with our previous blogpost, Tinybanker Trojan targets banking customers, this variant has some differences, which we will describe later.
How does Tiny Banker work?
- 1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
- 2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
- 3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
- 4. If he/she confirms the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.
Malware which opens pictures of attractive women to entice its victims has been around for some time. Last month there were more than usual, so I decided to research malware that pretends to be a regular picture, and the results are pretty interesting.
We looked for executable samples with two distinct characteristics: 1. .jpg in their name, and 2. no older than the last three months. About 6,000 unique files which matched this criteria were found. From these samples, we noticed that pretending to be an image is not a family specific criteria but we identified that Win32:Zbot is represented more than other malware e.g. MSIL:Bladabindi-EV, Win32:Banker-JXB,BV:Bicololo-CY, etc.
The important message is that most of these samples are distributed by scams which are sent by email or posted on social media sites. An example of an email scam is pictures below. If you are interested in what the social media scam looks like and how to protect yourself, you should read one of our previous blog posts.
Christmas time is essentially connected with buying presents. There’s a lot of stuff to be done and a lot of opportunities to buy a present in an e-shop to save time. Who doesn’t know someone who buys a Christmas gift online?
The malware authors know and are very keen to take advantage of it. We see scam emails containing order or delivery details every day and they have a lot of common. In fact, it’s nothing new. Such methods are used constantly during the year, it’s nothing special connected to Christmas. However, Christmas is the reason why many people might be fooled. Let’s look at them in detail.
Imagine you are customer waiting for a present to be delivered. You get anxious and check your email waiting for order details. You are probably the most vulnerable at this time. Then you get an email from DHL, the well-known parcel delivery service, with a notice saying that the shipping details are in an attachment. In that moment of relief, you click on the email attachment. It turns out to be a zip file containing a file named DHL-parcel.exe. The strange thing is the file extension looks like regular PDF file because it has the same icon. In fact, it is malware.
Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives. We have been tracking its activity since January 2013. We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.
We have seen grum activity on following sites:
Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.
After the bot sets its ID, it tries to connect to a C&C server.
1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer
2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam:
3) Then the C&C server is contacted by the following request
The smtp variable is set to ‘ok’ when the bot successfully contacts one of the SMTP servers and set to ‘bad’ if it does not.
4) The C&C server answers with a message which looks like a typical BASE64 encoding
Actually the message is encrypted by RC4 algorithm with key equals to the bot’s ID and then it is encoded by BASE64.
The whole decryption algorithm written in C# could look like this:
The bot id is 72176717204370682282907051332175 for the mentioned message.
After decryption process we can see the message:
5) The bot remembers the ot variable and sends the HTTP task request without the ot variable.
6) The C&C answers with spamming instructions including spam mail template which is also encrypted by the schema mentioned above.
The interesting thing is that sent spam is similiar to scam described on our blog in the past.
Finally, we provide a screenshot of encrypted instructions, a spam email and an example of decrypted instructions .
Received: by work.ozucfx.net (Postfix, from userid %W_RND_INT)
id E%W_RND_INTCE%W_RND_INTE; %DATE
From: Work at Home <%FROM_EMAIL>
Subject: Your second chance in life just arrived
Content-Type: text/html; charset=us-ascii