Questions Linger About New Linux ‘Hand of Thief’ Trojan

The Hand of Thief Trojan caters to hackers looking to exploit Linux machines.

It looks like cybercriminals will soon be able to add yet another Trojan to their hacking repertoire, the Hand of Thief banking malware that targets Linux machines.

Currently being sold on the Russian black market, Hand of Thief is fetching $2,000 USD (€1,500 EUR) but could be poised to run a cool $3,000 – plus an extra $550 per version release – if the malware evolves the way researchers expect it to.

Researchers at RSA have been reverse-engineering the malware and also dug up the server-side source code, according to a blog Wednesday by Limor Kessem, of RSA’s FraudAction research lab.

Hand of Thief allows hackers to grab information from forms on HTTP and HTTPS and block access to specified hosts. The malware also features technology to help it avoid detection by security software, including technology that detects the presence of a virtual machine, sandbox and whether debuggers are running.

The Trojan works on Firefox, Google Chrome, as well as Linux browsers like Chromium, Aurora and Ice Weasel. It also works on distributions such as Ubuntu, Fedora, Debian and desktop options such as Gnome and KDE.

The Trojan basically lets the hacker control the machines it is connected to and stores stolen credentials  and system data such as timestamp, user agent, website visited and POST data, along with cookies – in a MySQL database.

According to RSA, the underground forums advertising the malware also boast support, sales agents and software developers, suggesting the hackers behind the Trojan are in it for the long haul.

Hand of Thief has the potential to become one of the first real banking Trojans for Linux but it’s unclear how bright the malware’s future is yet. The Trojan doesn’t quite have the Web injection functionality it needs to dupe its victims but should in due time, RSA said. That’s the goal of the developer, who has completed 92 percent of the injects and claims they’ll be available “very very soon,” said Kessem, who said she has spoken with the Trojan’s developer, in an interview with Threatpost Wednesday.

“We know nowadays that when you don’t have Web injection, it’s almost impossible to commit fraud just using a Trojan. It’s a lot harder because there are different factors of authentication needed during a fraudulent transaction,” Kessem said, “without social engineering, most of the time they cannot successfully do the transaction.”

Kessem claims the developer has the backdoor and the proxies, but like the creators behind the Citadel Trojan, is hoping to crowdsource the rest of his capital. Those who get in on the ground level and purchase the Trojan now will be incentivized with free updates before the price jumps to $3000 per Trojan and about $550 per update.

While a $2000 or $3000 price tag sounds pricey, it’s really only expensive in the sense that it’s not clear what the Trojan will be able to accomplish with Linux’s small user base. “Nobody knows yet how many computers are going to get infected every time there’s a campaign,” Kessem said. “You don’t have the same fraud economy that backs up Linux; for Windows you have people selling exploit packs galore, it’s a service industry that doesn’t exist for Linux.”

Kessem wonders that if the malware did get integrated onto an exploit pack, if it could even be successfully executed on Linux, pointing out that a Linux rootkit that surfaced last November was more of an experimental project.

That rootkit, analyzed by CrowdStrike, proved to not be the work of high-level programmer and at the time didn’t look like it could be easily used in targeted attacks. Hand of Thief has the potential to be one of a kind but it remains to be seen if the Trojan will be as productive and lucrative as its Windows banking Trojan counterparts.

Suggested articles