Tilon, a new version of the old Silon Trojan, is currently making the rounds, attempting to defraud online banking users.
Initially, Trusteer experts believed that the cybercriminals behind Silon might have been apprehended by authorities, especially since its numbers had dropped considerably in the past period. However, as it turns out, they might have taken the time out to improve the malware.
Just like other financial malware, Tilon relies on man-in-the-browser attacks to take complete control of the traffic between it and the web server. It harvests all the data that’s input by the victim and sends it back to its command and control server.
However, there’s a far more interesting feature incorporated into the Trojan. It uses a sophisticated “search and replace” mechanism that identifies specific webpages and modifies their content.
Furthermore, it comes with an impressive number of antivirus evasion techniques: it doesn’t install properly on a virtual machine, it installs itself with the name of a legitimate service, it launches a process that monitors its files and registries, and it mutates.
Another evasion technique refers to the way Tilon hooks browser functions.
“Once it injects into the browser, it first installs an exception handler for the process (Fig. 1). Then it overwrites only the first byte of the hooked function with the byte 0xFA, which is the x86 opcode for the instruction “CLI” – the Clear Interrupt Flags instruction,” Amit Klein, the CTO of Trusteer, explained
“This instruction is privileged so when the CPU attempts to run it in user-space, an exception will be thrown. The exception handler installed by Tilon catches this exception and it proceeds to run the hook logic and yields execution to the original hooked function thereafter. “
At the time when Trusteer published the information, only 4 of the vendors on VirusTotal were positively identifying Tilon as being a threat.