Light Dark
August 9, 2012 By Amit Klein 4 min read
Malware

IBM has discovered a new financial malware that is targeting banks with a full bag of tricks for AV detection. Back in 2009 Trusteer, now a part of IBM, discovered Silon, a financial malware that was defrauding online banking customers protected by two-factor authentication systems left and right. In 2010 and 2011, the malware underwent two major updates and continued to do well. Lately, its numbers have been in decline, causing us to wonder whether Silon’s perpetrators were taking a long vacation in prison.

Alas, it is not so. In July 2012 we discovered a new financial malware that, upon closer investigation, contained some behaviors identical to those exhibited by Silon. After some internal debate, we decided to name it “Tilon.”

Tilon: The Newest Threat

So, what does Tilon do? Tilon is a financial malware that employs the Man in the Browser (MitB) approach. It injects itself into the browser and then fully controls the traffic from the browser to the Web server, and vice versa. It has an impressive list of supported browsers, such as Microsoft Internet Explorer, Mozilla Firefox and Google Chrome. It then captures all form submissions (“form grabbing”) from the browser to the Web server, logs them and sends them to its command and control (C&C) server, thereby gaining access to all login credentials, transactions, etc. More interestingly, perhaps, it controls the traffic (Web pages) from the Web server to the browser, and through a sophisticated “search and replace” mechanism, it targets specific URLs and replaces both large and small parts of the pages with its own text.

All of this is pretty standard MitB malware practice today, and Tilon merely provides more or less what Silon did back in 2009 and what Zeus, SpyEye, Shylock and others are capable of today. What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny and to survive attacks by security products. Some of the evasion techniques we are aware of include:

  • Tilon will not install properly on a virtual machine. This is a standard practice by some malware these days, as virtual machines are typically used by researchers, not genuine users. Tilon goes one step further, however, and instead of terminating the installation or running idly (both are suspicious behaviors to a small degree), it installs a fake system tool scamware. So, the Tilon dropper is likely to be dismissed as yet another fake system tool, keeping its malicious nature concealed.
  • Tilon installs as a service with a genuine-looking name and with a random executable name. Again, this prevents it from standing out to random scrutiny. Once run, the service injects malicious code into various native Windows processes, then terminates itself, so no malware process is found in memory thereafter.
  • Inside one of the Windows native processes, Tilon starts a watchdog thread that monitors its service entry in the registry and its executable file on disk. If these are tampered with, Tilon restores them within 3 seconds. This mechanism resists removal by many security products.
  • Tilon has a very peculiar way of hooking browser functions, which is the standard implementation of the two MitB concepts — form grabbing and HTML injection. Most malware families replace the first five bytes of the functions they hook with “JMP stub,” where “stub” is the malware code that implements the hook logic. Tilon takes a completely different approach. Once it injects into the browser, it first installs an exception handler for the process (Fig. 1). Then, it overwrites only the first byte of the hooked function with the byte 0xFA, which is the x86 opcode for the Clear Interrupt Flags (CLI) instruction (Fig. 2). This instruction is privileged, so when the CPU attempts to run it in user-space, an exception will be thrown. The exception handler installed by Tilon catches this exception, and it proceeds to run the hook logic and yields execution to the original hooked function thereafter. This unorthodox hooking technique is likely used to evade security products that look for “traditional” hooking techniques on browser functions.


Fig. 1: Installing the exception handler

  • Tilon mutates, we discovered, and it has already mutated once around the end of July or early August. The mutation was around how the random file names are generated, randomizing more parts of the file name.

Detecting Tilon

The net result is very low AV detection of the Tilon dropper (four out of 41 AV engines. These results were obtained on Aug. 8 for sample MD5 92613662ac735c91e7e25b16237c3ac5).

Moreover, the ones that did detect the dropper as malicious categorized it as a “fake system tool” instead of as financial malware (Fig. 3). It should be noted that the Microsoft Threat Encyclopedia contains an entry about a malware called “Win32/Enchanim.gen!B,” which may actually be the initial variant of Tilon. The details in the Microsoft site are too light to know for certain. We aren’t familiar with any specific name for the second variant of Tilon. As the VirusTotal results indicate, it’s not detected as financial malware at all.

There is, however, some good news. IBM’s products are doing well against Tilon. IBM Security Trusteer Pinpoint Malware Detection detects Tilon, while IBM Security Trusteer Rapport prevents its installation, detects its presence in the browser and removes it from already infected machines.

 |  |  |  |  |  |  |  | 
Amit Klein
CTO, Trusteer, an IBM company

More from Malware
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

June 6, 2023

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature