Customers of Russia’s biggest banks are under attack.Dell SecureWorks has detected an ongoing campaign that is targeting users of several Russian banks and payment service providers. The cyber-criminals behind this affair are believed to be operating a large botnet that spreads the Tinba 2.0 banking trojan and aggregates financial information from its victims.
Tinba is a well-known threat in the IT security domain, being active for a few years, mainly focusing on Japanese, European, and North American targets.
Two variants exist, but Tinba 1.0’s source code was leaked in 2014, and many criminal groups have stopped using it ever since. Tinba 2.0 appeared soon after, and just like Tinba 1.0, it is believed to be the creation of an Easter European threat actor.
Tinba 2.0 is sold on the black market as a botnet kit, allowing anyone who purchases it to set up their own C&C server, configure various security and authentication methods to avoid easy detection, and then tweak the trojan’s MO so they could aim at specific targets.
Most Tinba attacks are usually well coordinated and aim only at small geographical areas, a few banks, or user types.
In an uncharacteristic move, the hackers went after local targets
The campaign that Dell SecureWorks detected only targets Russian banks and payment service providers. This is atypical, since many similar banking botnets generally avoided going after Russian targets in the past.
The reason is that most of the criminal groups are based in those areas and tend to avoid hitting local targets so they won’t anger local law enforcement agencies.
A group that didn’t heed this unofficial rule was the Carberp gang, which targeted Russian banks in 2013, and local authorities arrested its leader soon after, a 28-year old Russian man.
Data obtained from a sinkhole on October 15, 2015, shows that 34.5% of all Tinba 2.0 infections are located in Russia.
Dell said that most victims are infected via spam email and exploits kits like Angler, Neutrino, and Nuclear. Once on infected computers, Tinba will start recording financial operations and send the data to its C&C server, where criminals can use it to make fraudulent transactions.
The (unofficial) war between Russia and the Ukraine may help solve the mystery of the attacker’s nationality and location. This information is not confirmed, but only a personal theory.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.