Security researchers at Trusteer have discovered a new financial malware strain that captures form submissions to steal banking account credentials.
What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny, and to survive attacks by security products.
Trusteer said the new Tilon financial malware uses a man-in-the-browser (MitB) attack, targeting users of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and others. It fully controls the traffic from the browser to the Web server, gaining access to login credentials and other transactions, according to Amit Klein, CTO of Boson-based Trusteer.
The Tilon Trojan uses many of the features of other financially driven malware, such as the Zeus and SpyEye families, but it is closely related to Silon, malicious code detected by Trusteer in 2009. Klein said that even more interesting is the ability of the Tilon malware to control traffic back from the Web server to the browser. It uses a sophisticated method of searching and replacing pages with its own text to trick the victim.
"What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny, and to survive attacks by security products," Klein wrote in a blog entry detailing the new Tilon malware.
The financial industry has had to deal with a variety of financial Trojans, primarily driven by increasingly sophisticated automated attack toolkits. Silon was seen as a serious threat in 2009 because it took advantage of hardware tokens to add cybercriminals as new payees to bank accounts. Once an account connection is established, the cybercriminals behind the Tilon Trojan set up a mule account to drain the victim's account.
The Tilon malware authors have put in a mixture of standard and advanced evasion capabilities. Tilon doesn't install on a virtual machine, making analysis more difficult for security researchers. In fact, Klein said Tilon terminates the installation and sometimes installs a fake system tool, making researchers believe it is another rogue scareware tool, rather than a more serious financially driven attack.
When it infects the victim's machine, "the service injects malicious code into various native Windows processes, [and] then terminates itself, so no malware process is found in memory thereafter," Klein wrote. The malware authors also added a watchdog process that monitors its service entry in the registry and its executable file on disk. The goal is to resist removal by many security products, Klein wrote.
The malicious code also attempts to evade detection by security products that monitor browser functions for anomalies, according to Klein.
Tilon was discovered in July and researchers said they have already detected at least one variant of the malware. There's also evidence, Klein said, that Microsoft came across the malware and may have categorized it as a fake system tool, rather than financial malware. The malicious code is noted in the software giant's Threat Encyclopedia.