When first discovered by Trusteer in 2012, the Tilon banking malware received its name because of some similarities with the Silon banking Trojan. As Silon before it, Tilon performs Man-in-the-Browser attacks by injecting itself into the browser and thus gaining control over the traffic going to and from it, as well as the capacity to capture all form submissions from the browser to the web server. The researchers thought that the same cyber gang was behind the creation of both Silon and Tilon.
Arrested SpyEye author Aleksandr Panin was probably responsible for the Tilon bank Trojan, developed as a “side project” using the same source code as his more famous creation, an analysis by Dutch security firm Fox-IT has concluded. According to its researchers, the now largely defunct Tilon began life in October 2011, probably as a low-key way of making some money from the bank Trojan market without the need to offer the service and support on offer with purchases of the more famous SpyEye. In August 2012, the malware was eventually noticed by security firm Trusteer, which decided it was based on the Tilon bank Trojan from 2009, but Fox-IT believes that Tilon borrowed only the former’s loader; its core was re-used from SpyEye, making it in effect “SpyEye 2.”