It looks like cybercriminals will soon be able to add yet another Trojan to their hacking repertoire, the Hand of Thief banking malware that targets Linux machines.

Currently being sold on the Russian black market, Hand of Thief is fetching $2,000 USD (€1,500 EUR) but could be poised to run a cool $3,000 – plus an extra $550 per version release – if the malware evolves the way researchers expect it to.

Researchers at RSA have been reverse-engineering the malware and also dug up the server-side source code, according to a blog Wednesday by Limor Kessem, of RSA’s FraudAction research lab.

Hand of Thief allows hackers to grab information from forms on HTTP and HTTPS and block access to specified hosts. The malware also features technology to help it avoid detection by security software, including technology that detects the presence of a virtual machine, sandbox and whether debuggers are running.

The Trojan works on Firefox, Google Chrome, as well as Linux browsers like Chromium, Aurora and Ice Weasel. It also works on distributions such as Ubuntu, Fedora, Debian and desktop options such as Gnome and KDE.

The Trojan basically lets the hacker control the machines it is connected to and stores stolen credentials  and system data such as timestamp, user agent, website visited and POST data, along with cookies – in a MySQL database.

According to RSA, the underground forums advertising the malware also boast support, sales agents and software developers, suggesting the hackers behind the Trojan are in it for the long haul.

Hand of Thief has the potential to become one of the first real banking Trojans for Linux but it’s unclear how bright the malware’s future is yet. The Trojan doesn’t quite have the Web injection functionality it needs to dupe its victims but should in due time, RSA said. That’s the goal of the developer, who has completed 92 percent of the injects and claims they’ll be available “very very soon,” said Kessem, who said she has spoken with the Trojan’s developer, in an interview with Threatpost Wednesday.

“We know nowadays that when you don’t have Web injection, it’s almost impossible to commit fraud just using a Trojan. It’s a lot harder because there are different factors of authentication needed during a fraudulent transaction,” Kessem said, “without social engineering, most of the time they cannot successfully do the transaction.”

Kessem claims the developer has the backdoor and the proxies, but like the creators behind the Citadel Trojan, is hoping to crowdsource the rest of his capital. Those who get in on the ground level and purchase the Trojan now will be incentivized with free updates before the price jumps to $3000 per Trojan and about $550 per update.

While a $2000 or $3000 price tag sounds pricey, it’s really only expensive in the sense that it’s not clear what the Trojan will be able to accomplish with Linux’s small user base. “Nobody knows yet how many computers are going to get infected every time there’s a campaign,” Kessem said. “You don’t have the same fraud economy that backs up Linux; for Windows you have people selling exploit packs galore, it’s a service industry that doesn’t exist for Linux.”

Kessem wonders that if the malware did get integrated onto an exploit pack, if it could even be successfully executed on Linux, pointing out that a Linux rootkit that surfaced last November was more of an experimental project.

That rootkit, analyzed by CrowdStrike, proved to not be the work of high-level programmer and at the time didn’t look like it could be easily used in targeted attacks. Hand of Thief has the potential to be one of a kind but it remains to be seen if the Trojan will be as productive and lucrative as its Windows banking Trojan counterparts.

Categories: Malware

Comments (2)

  1. Mustapa Osman
    1

    I still donbt get it how the malware can be executed in Linux, It claims that “hackers to grab information from forms on HTTP and HTTPS” . Well I dont see how unless:

    a) It is an add on or extension plugin for a specific browser , where of they lies on the actually functionality , and user actuall install the add on /extension plugin.
    b) Sniffing via LAN network or people work in a telco or have access to telco core network, where it can grab http , can work on https if they have the ssl keys or via ssl proxy

    I been usiung ubuntu for quite sometime now, there no way you are able to install it without superuser permission. if the malware is a some form of a script, and its need to capture packets such as http and https, its still need root access whereby defaut ubuntu , used standard user privileges.

    So I really wonder how it can be excuted in Linux..???

  2. passerby
    2

    sudo isn’t an end-all to security. it’s an application layer that executes commands with the privileges of a specified user, the default being root. that has little to do with a browser that is already running by a user, unless an attack attempts to go beyond privilege. a trojan wouldn’t need that quality simply for interception between the user and html or htmls content, so long as it shares the same privilege level, it can make it’s own SQL base.. as a “trojan”, the malware has the quality of hiding within other software, such as plugins, javascript, etc., that is otherwise seemingly legitimate.. again, all without changing privilege. the browser is the exploit, not the system. https may be intercepted before encryption once the browser is exploited in memory. malware would not need to capture packets, just intercept prior to the user-side forms chunk into packets..

Comments are closed.