Detecting a new Tinba variant using RSA Security Analytics

Blog Post created by ahsonbol on Mar 16, 2015

Tinba is an info stealer malware that uses web injects to trick users of different financial institutions into giving their personal information like social security number, address and credit card information. The malware family; that was first identified by security researchers at Trend Micro and CSIS; got its name from its small size. That’s right, a tiny banker Trojan.

We identified a new Tinba variant in RSA FirstWatch Malware Analysis Systems. This is a screenshot from the investigator module in our RSA Security Analytics instance:


As expected the communication between the infected machine and its C2 domain is encoded and/or encrypted.


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:


     directory = '/el0hjkd76ghs65dhj0it/' && action = 'put' && filename = '<none>' && extension = '<none>'    

As of this writing, VirusTotal  has a moderate detection rate of the sample under investigation.

Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.