Security vendor Trusteer has uncovered a type of financial malware that it claims is capable of avoiding detection by most types of anti-virus software.
The Trojan, dubbed Tilon, uses the so-called Man in the Browser' (MitB) technique: the malware injects itself into the software and is then in full control of the traffic travelling between the browser and the web server.
"[Tilon] has an impressive list of supported browsers Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others," said Amit Klein, chief technology officer at Trusteer.
According to Klein, Tilon, which is related to the Silon malware Trusteer detected in 2009, is specifically targeted at online banking customers protected by two factor authentication systems.
It is able to gain access to all login credentials and transactions, the company said, by capturing all form submissions and sending them to its command and control server.
What is most impressive about Tilon is the breadth of evasion techniques it employs
"More interestingly perhaps, it controls the traffic (web pages) from the web server to the browser, and through a sophisticated search and replace' mechanism it targets specific URLs and replaces parts (small and large) of the pages with its own text," Klein added.
The firms claims Tilon shares similarities with other financial malware, such as Zeus, SpyEye and Shylock, but it is its evasion mechanisms that make it stand out.
"What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny and to survive attacks' by security products," Klein said.
Evasion techniques detected so far by Trusteer include starting a watchdog' thread that prevents its removal by many security products, and the installation of two executable files, one with a genuine-looking name and the other with a random name, also designed to prevent detection.
The malware will also not install properly on a virtual machine, making it hard for researchers to study. Additionally, if an installation on a virtual machine is attempted, Tilon will deploy fake system tool' scamware as a decoy, which will cause researchers to overlook the real threat.
The company discovered Tilon in July and, according to Klein, it has already mutated once.
Security and fraud professionals from the banking industry who want to know if their bank has been targeted are encouraged to contact the company using this link.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
CronRat Magecart malware uses 31st February date to remain undetectedNews The malware allows for server-side payment skimming that bypasses browser security
-
Mekotio trojan continues to spread despite its operators’ arrestsNews Hackers have used it in 100 more attacks since arrests
-
“Trojan Source” hides flaws in source code from humansNews Organizations urged to take action to combat the new threat that could result in SolarWinds-style attacks
-
What is Emotet?In-depth A deep dive into one of the most infamous and prolific strains of malware
-
Fake AnyDesk Google ads deliver malwareNews Malware pushed through Google search results
-
Hackers use open source Microsoft dev platform to deliver trojansNews Microsoft's Build Engine is being used to deploy Remcos password-stealing malware
-
Android users told to be on high alert after Cerberus banking Trojan leaks to the dark webNews The source code for the authenticator-breaking malware is available for free on underground forums
-
Qbot malware surges into the top-ten most common business threats
News An evolved form of the banking Trojan was distributed by number one-ranking Emotet in a campaign that hit 5% of businesses globally
