Tilon has been an active malware family that was spotted first time in 2012, was specially designed to filch money from online bank accounts, that earlier various researchers found to be the new version of Silon, is none other than the SpyEye2 banking Trojan, according to researchers at security firm Delft Fox-IT.
Tilon a.k.a SpyEye2 is the sophisticated version of SpyEye Trojan. Majority functional part of the malware is same as of the SpyEye banking Trojan that was developed by a 24-year-old Russian hacker 'Aleksandr Andreevich Panin' or also known as Gribodemon, who was arrested in July 2013.
‘SpyEye’, infected more than 1.4 million Computers worldwide since 2009, designed to steal people’s identities and financial information, including online banking credentials, credit card information, user names, passwords and PINs. It secretly infects the victim’s computer and gives the remote control to the cybercriminals who remotely access the infected computer through command and control servers and steal victims’ personal and financial information through a variety of techniques, including web injects, keystroke loggers, and credit card grabbers without authorization.
“The team behind its creation was similar, however, reinforced with at least one better skilled programmer,” said the researchers, adding, “The management of SpyEye2 is done through a single, unified interface, which has been completely redesigned but still contains a few of the unique features of the original SpyEye.”
An interesting part of SpyEye2, which the researchers found ‘slightly funny’, is that the malware check for the removal of the older version of SpyEye installed in the infected system and replace it with the new version, i.e. SpyEye2 with better stability features.
“No other malware families are checked for removal. Early versions of the original SpyEye were likewise equipped with a feature to remove older versions of ZeuS installed on the infected system,” researchers say.
According to the researchers, “only the Loader portion of Tilon is sourced from Silon, but this is where the similarity ends. As shown above and further illustrated in the Appendices, the body (i.e., functional portion) of Tilon was actually based on SpyEye.”
Also, another reason to consider Tilon as SpyEye's variant is its success, which was in the wild from 2012 to 2014, and suddenly seems to be over as the SpyEye author arrested last year.
Fox-IT researchers say, “the arrests, like Gribodemon and other key figures in the underground economy, such as Paunch, the author of the popular Blackhole Exploit Kit, is the key to decreasing the worldwide activity around online crime.”
It doesn’t mean that the malware won’t circulate its fraudulent activity in the future, but will finally come to an end after nearly a year of declining usage.