September 26, 2016

Trusteer discovers a new financial malware and names it Tilon

(LiveHacking.Com) – Trusteer has discovered a new financial malware  based on the 2009 Silon banking trojan. This new variant, named Tilon, is capable of defrauding online banking customers protected by two factor authentication systems and also uses several tricks to avoid being detected by Anti-virus software.

Tilon is “Man in the Browser” (MitB) malware that injects itself into a browser (including Microsoft Internet Explorer, Mozilla Firefox and Google Chrome) and then monitors and manipulates the traffic sent from the browser to a web server and vice versa.

All forms that are filled out by the user are grabbed and sent to a command and control (C&C) server. The upshot of which is that banking login details are sent to the malware authors who can then use the information to hack into the victim’s bank account. The malware also uses a search and replace mechanism to modify certain URLs and replace text to trick the user.

The malware is also capable of tricking AV software and currently only 4 out of the 41 major AV engines can detect the malware. To avoid detection Tilon tries the following tricks:

  • Tilon will not install itself on a virtual machine, instead when a VM is detected it will install a piece of scamware and so the malware will be wrongly tagged and its true nature hidden. The resaon for not installing on a VM is that many security researchers use VMs for their research and not actual PCs.
  • Tilon is also thought to change the way to generates filenames and so makes it harder to distinguish.