SpyEye and Tilon banking malware have the same author(s)

When first discovered by Trusteer in 2012, the Tilon banking malware received its name because of some similarities with the Silon banking Trojan.

As Silon (and Zeus, and SpyeEye) before it, Tilon performs Man-in-the-Browser attacks by injecting itself into the browser and thus gaining control over the traffic going to and from it, as well as the capacity to capture all form submissions from the browser to the web server. The researchers thought that the same cyber gang was behind the creation of both Silon and Tilon.

But analysts from Dutch consultancy and digital forensic firm Fox-IT believe that the actual creators of Tilon are Gribodemon, the infamous author of the SpyEye banking Trojan, and his colleagues.

As a reminder: Aleksandr Andreevich Panin (aka “Gribodemon” and “Harderman”) has been arrested in 2013 by the US authorities, and has recently pleaded guilty to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the SpyEye.

“Our findings show that after the last release of SpyEye 1.3.48, in October 2011, the SpyEye team started a side project, developing a private trojan platform for rent. Such a business model would attract much less attention than a more widely-available kit malware and doesn’t require follow-on support hassles encountered when selling a mass-marketed kit option,” Fox-IT researchers shared in a report.

This Trojan turned became known as Tilon, although a better name for it would be SpyEye2, they say.

“Tilon has been an active malware family in the wild from 2012-2014, but recent activity levels have been quite low and currently there appear to be no active C&C servers,” they explained, and added that the team involved in its development and operation was the same as the team behind SpyEye.

“There is much circumstantial evidence to support this theory. Examples include SpyEye customers who migrated to Tilon and also a sharp decline in activity of Tilon after the arrest of Gribodemon.”

There is also considerable technical evidence that the two malware families come from the same source (and source code).

“This relationship is not immediately apparent, because the code base has been overhauled. It is evident that the code has been modified by at least one new programmer, resulting in parts of the code base that are completely rewritten, in a more elegant, and robust way,” they shared.

It’s also interesting to note that some of the earlier Tilon versions have the ability to remove the original SpyEye malware – and no other.

It’s, of course, impossible to tell if Gribodemon’s arrest and likely prison sentence will make Tilon disappear. For now, its activity level has dropped dramatically, but the malware has been updated – by Gribodemon’s colleagues in crime? – since his arrest.