Industry Insights

Cybrella researchers take a deeper look at banking malware on the rise

April 4, 2022


Tal Katz

Cloud & IT Security Director

Cybrella researchers take a deeper look at banking malware on the rise

To name a great example of these stealthy, new malware variants, “tinba v2”, the new variant of timba banking malware discussed by Trusteer. Tinba, upon further inspection, has included functions that can render it invisible to modern day threat detection systems. Like many malware variants, tinba v2 has functions that can render two factor authentication (2FA) useless.

Compromised 2FA leaves credentials and PII susceptible to the attempts and prying eyes of a potential would be threat actor.  The malware sends the victim to a spoofed, clone of their bank’s website, wherein all credentials are harvested via form fields. The victim of this malware would then be presented with an error message whilst the credentials and 2fa data are sent to the attacker that deployed the malware.

Since the credentials and 2FA tokens, authorization etc, has been compromised by Tinba v2 and there is never a point the victim reaches the bank’s backend servers, the malware is never flagged by malware detection mechanisms and therefore persists. The Victim all the while existing in a false sense of security.

Some banks have incorporated layered monitoring controls, but since timba v2 prevents communication with the backend, defenses designed to benefit the bank website, never take effect. The malware waits for the victim’s interaction with the URL bar, and when the bank’s website address is inserted, a signal is then sent to the C&C server (command and control server) at which point timba injects a webpage. This webpage, unlike often seen in this scenario, is fully interactive and prevents the user from reaching the banking website as their intended endpoint.

This new variant is becoming troublesome considering layered security was brought onto scene by banks attempting to address security concerns of its predecessor and other banking malware variants of a similar nature.

The newest variant of tinba differs from the original variant as described above, the new version acts as an in between point preventing a user from reaching their intended endpoint. However, the original tinba acted as a real time viewer, documenting banking activities and online sessions as they occurred.

The new tinba variant has the means to skirt around conventional fraud detection mechanisms, as per example, those outlined in The Federal Financial Institutions Examination Council’s authenticated guidance that many banks and their subsidiaries rely upon.

*Technology vector created by -


Related Posts