Risk: High.
UgCERT issues high severity advisory to alert stakeholders to active campaigns involving the Tinba (aka TinyBanker/Zusy) Trojan, targeting financial systems in Uganda.
Platforms Affected:
Microsoft Windows OS
Summary:
Tinba is a very small but powerful banking trojan (about 20 KBs in size) that infects a computer and secretly watches what a person does in their web browser. When someone logs into online banking, Tinba steals their username and password and even changes what appears on the screen to trick them.
When its source code was leaked in underground forums, many criminals were able to create their own versions of it. Tinba is usually spread through fake online ads, hacked websites that exploit security weaknesses, and phishing emails.
Description & Consequences:
Tinba is known for being extremely small and efficient, which allows it to spread widely and operate without noticeably slowing down infected computers.
The leaked code reveals a compact and highly optimized design focused specifically on financial credential theft. Unlike larger and more complicated banking trojans, Tinba is built to perform a focused set of tasks which includes self-injection into running processes of web browsers, interception of web traffic before encryption, modifying banking webpages in real time, and downloading files that list which banks to target.
The source code shows a modular structure that allows attackers to customize targeting rules without rewriting the core malware. Configuration files can define which banking websites to monitor and what data to intercept. Because the code is relatively small and efficient, it is easy for threat actors to modify and redeploy, leading to multiple variants.
Persistent Infections exposed victims to:
- Real-Time Transaction Manipulation
- Ongoing Command-and-Control Communication
- Broader system compromise if attackers leveraged access further
- Harvesting of corporate banking credentials
Solutions:
Organizations and individual users are advised to implement the following measures to reduce the risk posed by Tinba malware:
- Continuous/automated replacement of banking credentials
- Install only authenticated and verified versions of Windows
- Monitor browser for unusual behavior.
- Regular update of browser Patches/Plugins
- MFA for banking
- Endpoint controls to prevent code injection.
In the event of an impact and seeking to contain and recover.
- Establish containment via network isolation and removal of persistence
- validate clean backups
- perform credential resets
- monitor for reinfection using EDR and DNS/Proxy telemetry.
References