The source code for Tinba, known as the smallest but most sophisticated banking Trojan, has been leaked online in an underground forum. Researchers found the leaked version of Tinba is version one, which was identified back in 2012, which was the first originally sold version.
Researchers found the file posted on a closed Russian underground forum was the source code from version one of Tinba, which was privately sold in the original crimeware kit and then used to infect thousands of computers globally.
Tinba, also known as Zusy or tiny banker, is a minuscule banking Trojan that is only 20 Kilobytes (KB) in size. Since the deadly malware is so small, it can easily slip past antivirus detection engines and uses various man-in-the-browser tricks in attempt to defeat two-factor authentication. The Trojan does not use any advanced encryption or packing techniques and completes tasks any other banking Trojan would do. Tinba injects itself into well-known running processes, such as explorer.exe, sniffs the network, steals financial information including banking and credit-card information, as well as infecting the computer to run in part of a botnet. Infected machines communicate with command-and-control (C&C) servers securely over encrypted channels.
Researchers at CSIS first identified Tinba last week when finding a post on an underground cybercrime forum with an attachment including the Tinba source code. After CSIS analyzed found files, researchers concluded it was the old version of the malware, which they believe was sold at one point and modified by other attackers. Though the discovered malware is an older version, it still works with no issues.
“So, our research on this malware and the group behind it proves to have been correct. Sometimes around 2012, the Tinba version 1 source code was taken over by new criminals and it is precisely the version 1 source code which has now been made available to the public and not the code being used in current and ongoing attacks,” Peter Kruse, security specialist at CSIS, said in a blog post.
“The Tinba leaked source code comes with a complete documentation and full source code. It is nicely structured and our initial analysis proves that the code works smoothly and compiles just fine,” he continues.
The posting of the Tinba source code paths the same leak as the highly popular Zeus, which was leaked back in 2011 allowing for cyber-criminals to develop highly sophisticated commercial crimeware kits.
“We don’t expect the source code of Tinba to become a major inspiration for IT-criminals as it was the case for ZeuS. However, making the code public increases the risk of new banker Trojans to arise based partially on Tinba source code,” Kruse concluded.