Upon further examination, a new banking Trojan variant may not be as commercially viable as it was thought to be.
Researchers at RSA Security have peeled back the layers this week on the Hand of Thief banking Trojan, a piece of malware that made headlines over the summer after it was thought to be targeting Linux distributions.
The firm’s FraudAction team has done further research on its builder, created binaries and tested its functionality and deduced that the malware is really a shell of what it claims to be – in RSA’s words, a “prototype.”
“[It’s] grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan,” Yotam Gottesman, RSA senior security researcher wrote in a blog entry today.
The post goes on to break down the malware’s builder, configuration file and how its handled on a browser-by-browser basis.
When Hand of Thief was discovered, its creator was still waiting to incorporate its Web injection functionality, something RSA’s Limor Kessem said at the time would be essential if attackers wanted to use it to commit fraud.
There are still no injections in place, but Gottesman insists that while the Trojan is prepared for one – the malware’s configuration parsing routine looks primed for URL filtering – it doesn’t look like it’ll work once they’re added. The reason for this appears to be inconsistency in the browsers it uses.
While the malware’s creator claims he tested the form grabber on browsers such as Chrome and Firefox, along with their experimental builds, Aurora and Chromium, when RSA tested the malware, it caused many of the browsers to freeze and crash.
Chrome on Fedora 19 in particular caused the browser to freeze while Firefox on the same machine managed to “capture only empty requests with no information being delivered to the drop server.”
When the malware did work, it captured so much data in such a “generic matter” that it could potentially “quickly clutter the drop server with useless data.” In other cases the malware didn’t even capture data.
“On some sporadic occasions the malware did capture requests and relayed them to its C&C server, however, even the successful requests sent to the server arrived empty of data,” Gottesman said in the blog.
Machines running Ubuntu weren’t tested by the developer, but RSA notes that a protection mechanism called ptrace scope actually blocked the Trojan, the form grabber and the URL-blocker from working, claiming that “on most sessions, HoT caused Firefox to crash and close.”
RSA also points out that the infection method for HoT is still quite primitive. Its exploit pack is less reliable than the usual exploit packs found in commercial malware campaigns. The developer fails to recommend an infection method and instead casually endorses the idea of just sending the malware to victims via email.
There were initially some questions about Hand of Thief when the Trojan first surfaced last month. Researchers wondered whether the malware would evolve given its narrow Linux attack vector and steep price point. It’s clear now that the answer to that question is more than likely no, pending more work from the Trojan’s developer.