Security Researchers at Trusteer discovered a new financial malware 'Tilon', targeting banks with a full bag of tricks for avoiding AV detection; Researchers says it is new version of the old Silon Trojan.
About Silon: Back in 2009, Trusteer discovered Silon, a financial malware that was defrauding online banking customers protected by two factor authentication systems left and right. In 2010-211 Silon underwent two major updates and continued to “do well”. Lately its numbers have been in decline, causing us to wonder whether Silon’s perpetrators were taking a long vacation in prison.Tilon is a financial malware that employs the “Man in the Browser” (MitB) approach. It injects itself into the browser and then fully controls the traffic from the browser to the web server, and vice versa.
It captures all form submissions (“form grabbing”) from the browser to the web server, logs them and sends them to its command and control (C&C) server, thereby gaining access to all login credentials, transactions, etc.
More interestingly perhaps, it controls the traffic (web pages) from the web server to the browser, and through a sophisticated “search and replace” mechanism it targets specific URLs and replaces parts (small and large) of the pages with its own text.
Furthermore, it comes with an impressive number of antivirus evasion techniques: it doesn’t install properly on a virtual machine, it installs itself with the name of a legitimate service, it launches a process that monitors its files and registries, and it mutates.
