Tilon/SpyEye2 intelligence report

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Tilon/SpyEye2 intelligence report
Botnet Tilon, SpyEye2, Silon
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2014 / 2014-02-25
Editor/Conference Fox-IT
Link https://foxitsecurity.files.wordpress.com/2014/02/spyeye2 tilon 20140225.pdf (Archive copy)
Author Fox-IT
Type Tech report


The malware family commonly known as Tilon has been around for several years now. While several public analysis reports have described the malware; no one has thus far linked it with the well-known SpyEye malware family. In light of the recent news of the guilty plea of SpyEye distributor Gribodemon we revisit the Tilon malware family. We give a detailed analysis of similarities to SpyEye and also place Tilon and SpyEye into a wider context of the digital underground.

The original name Tilon was chosen due to the similarities with Silon. This was merely true for the outer layer of the malware, the so called loader. A better name probably was SpyEye2, as the functional part of the malware is sourced from SpyEye. The team behind its creation was similar, however reinforced with at least one better skilled programmer.

The decline in Tilon/SpyEye2 activity after the arrest of Gribodemon was evident, the development however continued and the fraudulent activities did not stop. Finally after nearly a year of declining usage, it seems we might have come to the real end of the SpyEye era, or will the team behind SpyEye2 continue and start working on getting new customers?


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR4730,
   editor = {Fox-IT},
   author = {Fox-IT},
   title = {Tilon/SpyEye2 intelligence report},
   date = {25},
   month = Feb,
   year = {2014},
   howpublished = {\url{https://foxitsecurity.files.wordpress.com/2014/02/spyeye2_tilon_20140225.pdf}},