Tiylon: A Modern Bank Robber

The biggest bank robbery of all time was identified in Brazil in 2005. In this case, a gang broke into a bank by tunneling through 1.1 meters of steel and reinforced concrete and then removed 3.5 tons of containers holding bank notes. This heist resulted in the loss of about 160 million Brazilian dollars (US$380 million).

Robbers today, however, don’t have to bother with drilling through walls to steal money. They can rob a bank while sitting comfortably at home behind a computer. Thanks to cybercrime, organizations have suffered financial losses in the order of millions. The Symantec State of Financial Trojans 2013 whitepaper shows that banking Trojans are becoming more prevalent. Apart from other more common malware such as Zeus and Spyeye, one of the most popular financial malware that cybercriminals currently use is a threat called Tiylon. This Trojan uses a man-in-the-browser (MITB) attack to intercept user authentications and transaction authorizations on online banking sites.

Initial infection by targeted attack
Tiylon typically arrives as an attachment in the form of a short email to attempt to evade antispam filters. Unlike most spam campaigns associated with financial Trojans (like Zeus), Tiylon emails are part of a targeted attack. Symantec telemetry shows the attack targets online banking users  in several different regions around the world, with a particular focus on the UK, US, Italy, Australia, and Japan (Figure 2).


Figure 1. Tiylon email with a malicious attachment.

The threat consists of three different files: a downloader, a main component file, and a configuration file.

Downloader file
The downloader acts as a load point and is responsible for the installation of the main component file. When the downloader executes, it constructs system information derived by the computer’s serial number and establishes a connection to the attacker’s command-and-control (C&C) server. When the connection is established, a registry key is created.

  • Windows XP:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\“WwYNcov” = “%System%\WwYNcov.exe”
  • Windows 7:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{905CC2F7-082A-4D1D-B76B-92A2FC7341F6}\“Path” = “\\xxUxqdT”

The downloader then injects code into explorer.exe and svchost.exe to initiate malicious activity.

Main component file
The main component file is downloaded and decrypted by the Tiylon downloader file. This component collects a configuration file from the C&C server to specify the parameters of the attack. The component also manipulates registry settings to reduce the security of the computer and browser. This is also the component that intercepts communications between the user and financial institution websites.

Core functionalities include the following:

  • Performs Web injection attacks
  • Logs key strokes
  • Captures screenshots
  • Starts FTP and RDP servers
  • Starts Remote Desktop Protocol (RDP)
  • Reads certificates
  • Downloads and executes files
  • Create services
  • Hook operating system APIs in order to steal network data
  • Inject code into other processes
  • Log off, restart, or shut down the compromised computer
  • Perform process injections into Web browsers

Tiylon attempts to evade detection by inspecting directories and installed applications. It also tries to find out if the computer is a virtual machine by checking the process list. If the C&C server finds any environment that could detect malicious activities, it may ban the computer’s IP address and then try to infect other users. It may also force some non Symantec antivirus software to set exclusions, helping the threat avoid detection. The malware code itself is obfuscated and has several packing cycles, which complicates analysis.

Timeline of attacks
The Tiylon attacks occured between January 1, 2012, and October 1, 2013.


Table 1. Tiylon attack numbers by country


Figure 2. Animation showing Tiylon attack numbers by country

Symantec protects customers against Tiylon with the following anitvirus and IPS detections:



Symantec recommends users to have the most up-to-date software patches and definitions in place to protect against threats. In this particular case, we suggest installing an antispam solution for your email client and refrain from opening suspicious attachments.