Tinba malware updates itself to make removal harder

Posted on Friday, June 26 2015 @ 12:22 CEST by Thomas De Maesschalck
Malwarebytes discovered a new piece of malware named Tinba, this Trojan automatically updates both itself and its command servers to try to stay one step ahead of anti-virus tools. Tinba is spread via "malvertising" campaigns, it uses ads embedded within an URL shortener service to lead users to exploit kit HanJuan EK. The goal of Tinba is to steal user credentials, passwords and other sensitive data.
"Often times cyber criminals will use URL shorteners to disguise malicious links," the blog post explains. "However, in this particular case, it is embedded advertisement within the URL shortener service that leads to the malicious site.

"It all begins with Adf.ly, which uses interstitial advertising, a technique where adverts are displayed on the page for a few seconds before the user is taken to the actual content."

Following a complex malvertising redirection chain, the HanJuan EK is loaded and fires Flash Player and Internet Explorer exploits before dropping a payload onto disk.

"The payload we collected uses several layers of encryption within the binary itself but also in its communications with its command and control server," added the firm.
Full details at The Inquirer and MalwareBytes.

Tinba infection chain


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments