A NEW MALWARE VARIANT named Tinba that can update itself and potentially steal user credentials has been discovered by security firm Malwarebytes.
Delivered via a 'malvertising' campaign, the malware steals credentials by inserting itself into users' web browsers and intercepting data such as usernames and passwords before they can be encrypted and sent to a server for authentication.
The firm said on its blog that it spreads via a URL shortener leading to HanJuan EK, a rather elusive exploit kit that in the past was used to deliver a Flash Player zero-day exploit.
"Often times cyber criminals will use URL shorteners to disguise malicious links," the blog post explains. "However, in this particular case, it is embedded advertisement within the URL shortener service that leads to the malicious site.
"It all begins with Adf.ly, which uses interstitial advertising, a technique where adverts are displayed on the page for a few seconds before the user is taken to the actual content."
Following a complex malvertising redirection chain, the HanJuan EK is loaded and fires Flash Player and Internet Explorer exploits before dropping a payload onto disk.
"The payload we collected uses several layers of encryption within the binary itself but also in its communications with its command and control server," added the firm.
The purpose of the Trojan is to steal information by hooking the browser to act as a man-in-the-middle and grab passwords and other sensitive data.
The dropped binary code that is executed when the malware hits a user's system, which Malwarebytes nicknamed Fobber, has the ability to steal valuable user credentials and is also fairly resistant to removal by receiving updates to both itself and command servers.
"While our research teams have not observed Fobber stealing any banking information, it certainly seems possible considering the flexibility offered by the malware's update model," said the security company. "We will continue to provide any updates on Fobber in our blog as we see any improvements made in the malware."
Malwarebytes said it has also passed on the information about that server so that a forensic analysis and full investigation can be conducted. µ
Not exactly 'Think Different'
Coming tomorrow: Bug report Thursday
Privacy-aware office worker slams 'authoritarian' AFR tech