XenonStack Recommends

Security Intelligence

Tinba : The Tiny Banker Trojan Compromising your Financial Accounts

Parveen Bhandari | 13 Aug 2022

Tinba Virus

What is Tinba Virus?

The Trojan virus infects end-user devices and offers to compromise their financial accounts and steal funds. Tiny Banker Trojan short form is Tinba, a malware program targeting financial institution websites. It is known for its small size but powerful abilities. A smaller virus is much harder to detect. Tinba is the smallest at just 20KB.

The primary purpose of the trojan is to steal information which could be browsing data, login credentials, and banking information. It was discovered in 2012, The Tinba virus, in the beginning, infected 1000 Turkish Computers. Once it was discovered, the source code for the virus was leaked out online and had undergone various revisions, making it quite difficult for financial institutions to find out.

What is the Impact of Tinba Virus?

Tiny Banker infects systems & browsers and stores information sent to and from banking sites. Once a user logs onto a banking website, a malicious pop-up window seems to pose for login credentials exploiting the initial brand and name of the particular website.

Tiny Banker's source code has been uploaded online, with new malware iterations continuing to emerge. Since its peak in 2016, it's been thought of as one of the harmful malware strains affecting the banking industry.

How does Tinba Banking virus works?

Infected websites will distribute Tiny Banker, with victims lured via phishing emails and fake advertising content. Once a vulnerable system runs Tinba, it replicates it underneath the name bin.exe to the %AppData% folder.

Various versions of Tinba find themselves in several folders—variants created folders with arbitrarily generated names supporting data concerning the infected system. Tinba encrypts the memory usage to avoid detection.

When the infected system restarts, bin.exe runs, and Tiny Banker persists on the pc. Tinba will modify internet browsers like person and Firefox, disabling warning messages and sanctioning HTTP content on HTTPS websites while not prompting. Small Banker targets processes like person.exe and svchost.exe on Windows as alternative running processes.
TBT encrypts its communications with command and management servers and maintains handiness by mistreatment of four C&C domains. It's native config files it will use once unable to attach to a server.

Performing Browser Attacks with Tinba Virus

The Browser attacks use kind grabs to intercept keystrokes before they're transmitted to the website over the encrypted HTTPS protocol. This effectively bypasses HTTPS and permits the wrongdoer to steal the user's knowledge.

Tinba comes with an internet injection element containing malicious JavaScript code. This is often malware that may apply dynamic internet injection to several online banking websites. The net injection element adapts precisely to the initial website's look, making it troublesome for users to identify.

The web injection mechanism displays dishonest messages to the user. For example, the financial organization wants them to enter their account details and prompts them to enter sensitive information to verify their identity. Users area units asked not just for money info, like checking account or MasterCard knowledge, however additionally identification info like Social Security numbers. To boot, users area units asked for common security queries, like their mother's family name.

The threat actor will then use browser man within the middle (MitM) attacks to transmit the victim's out there balance to questionable "cash mules' '. These area unit third parties withdraw funds and send them to threat actors in an untraceable manner in exchange for a commission.

Remediation/Removal of Tinba Trojan

The most common ways that Tinba infects a system are once users transfer free computer code from unfamiliar websites, click on pop-up ads, click on infected links or attachments in phishing emails, or transfer content from the dark internet or torrent files.

Cleaning up a small Banker is challenging because it injects malicious code into legitimate processes. There are two primary choices for removing the trojan:

  • Most major anti-malware firms supply small Banker cleaners.

  • You can use a full system state backup to revive before infection. However, selecting a restored purpose can be challenging as a Tinba infection might not be in real-time obvious. Also, any changes created since the restoration purpose will be lost.

Cyber Security Services

End-to-End Proactive Solutions for empowering Advanced Threat Protection and Intelligence with Real-Time Analytics, Cyber Security Services

How to prevent Banking Trojans?

As the threat of thieving via banking trojans will increase, there area unit variety of the way that users will defend themselves:

1. Beware of phishing emails

While opening an email from an untrusted source or emails from a trustworthy supply that contains unusual content or requests, users shouldn't click links, execute files or open Microsoft workplace documents.

2. Committing native devices with security solutions

Modern security solutions will defend users from malware and different attack vectors. An honest security answer will effectively sight and block banking trojans by police work and malicious content in files or phishing messages. Notwithstanding users browse the net on a remote device, they should deploy well-known, effective anti-malware solutions.

3. Unusual behaviour

Users should look out for suspicious activity from banking and money services websites. They should pay special attention to new login fields they haven't seen before, notably after requesting personal knowledge. Users should consider what the bank generally doesn't elicit and look for minor flaws or changes within the website style or show.

4. Mobile application Installation from trustworthy sources

This is particularly necessary for banking applications. Downloading apps from famed and trustworthy sources like Google Play and Apple App Store doesn't guarantee users won't transfer malicious applications; however, it'll defend them from most threats.

5. Back up necessary files

Users ought to create offline copies of their most vital files on external devices or cloud storage services. Today's common banking trojans distribute malicious computer codes like ransomware once their initial section, which may deny users access to their files.


Tinba virus is known as a tiny banking Trojan. The attack methods can vary from e-mail spam, drive-by downloads, and Exploit Kit infection cycle. Metasecure actively monitors this malware family and ensures complete coverage for our clients.

Click here to explore more critical Viruses and their Remediations