The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit.
Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of “tiny banker”, and researchers say that it’s only about 20 KB in size.
Researchers at CSIS in Denmark first identified Tinba and last week found a post on an underground cybercrime forum that included an attachment that turned out to be the Tinba source code. After analyzing the files, CSIS determined that the source code was for version one of the malware, which they believe likely was sold at some point and modified and improved by other attackers. Though this is the older version of the banker Trojan, it works without any hitches.
“So, our research on this malware and the group behind it proves to have been correct. Sometimes around 2012, the Tinba version 1 source code was taken over by new criminals and it is precisely the version 1 source code which has now been made available to the public and not the code being used in current and ongoing attacks,” Peter Kruse, security specialist at CSIS, said in a post.
“The Tinba leaked source code comes with a complete documentation and full source code. It is nicely structured and our initial analysis proves that the code works smoothly and compiles just fine.”
Kruse said via email that while the first version of Tinba was used privately, the second iteration has had a different trajectory.
“The second version, which also includes a lot of changes to the panel/interface, appears to be sold as a crime as a service but only through closed channels. The second version indicates that the code was indeed sold in 2012 and then reworked by other it-criminals,” he said.
The posting of the Tinba source code follows leaks of the source for other much more well-known and widespread Trojans. In 2011 the Zeus source code leaked, leading researchers to worry that attackers would use it as the basis for new creations, which eventually came in the form of things such as Citadel. And then in 2013 the source code leaked for Carberp, a previously privately sold crimeware kit that fetched as much as $40,000.