Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD

Just two weeks after reporting about the commercialization of the KINS banking Trojan, RSA reveals yet another weapon to be used in a cybercriminal’s arsenal.

It appears that a Russia based cybercrime team has set its sights on offering a new banking Trojan targeting the Linux operating system. This appears to be a commercial operation, which includes support/sales agents and software developer(s).

Meet the “Hand of Thief” Trojan

Hand of Thief is a Trojan designed to steal information from machines running the Linux OS. This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates.  The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future. At that point, the price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major version release. These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux.

The Trojan’s developer claims it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. As for desktop environments, the malware supports 8 different environments, including Gnome and Kde.

An Insider’s Glimpse

RSA researchers have managed to obtain the malware builder as well as the server side source code, and a preliminary analysis reveals familiar functionalities of a banking Trojan. Some of the initial features include:

  • Form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.
  • Block list preventing access to specified hosts (a similar deployment used by the Citadel Trojan to isolate bots from security updates and anti-virus providers)
  • Backdoor, backconnect and SOCKS5 proxy
  • Anti-research tool box, which includes anti VM, anti-sandbox and anti-debugger
Figure 1: Hand of Thief – Linux Trojan’s Builder

Control Panel Features

The developer wrote a basic administration panel for the Trojan, allowing the botmaster to control the infected machines reporting to it. The panel shows a list of the bots, provides a querying interface, and run of the mill bot management options.

The Trojan’s infrastructure collects the stolen credentials and stores the information in a MySQL database. Captured data includes information such as timestamp, user agent, website visited and POST data. Hand of Thief also exhibits cookie-stealing functionality.

Figure 2: Hand of Thief – Linux Trojan’s Admin Panel View

Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason. In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector.

So What’s Next?

We are left with a number of questions:

Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?

Also, with recent recommendations to leave the supposedly insecure Windows OS for the safer Linux distributions, does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?

Only time will tell. RSA researchers will continue to closely monitor the development of this Trojan and update accordingly.

Leave a Reply

Your email address will not be published. Required fields are marked *

17 thoughts on “Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD”

  1. That’s great and I appreciate the info shared here, but can we know more about the spread capabilities, infection methods and how can we check if there are signs of this “tool” on our Linux machines?
    Does it let any traces we can check on?


  2. I think it’s just addon for web browsers. Not trojan. It’s bullshit. IT never use browsers with activated scripts, the are blocked like a noscript for firefox and other usefuk tools. What about root account for this trojan?
    Windows is virus heaven for virmakers and stupid users. stupid users love it because it good for eyes, virmakers live it, because it is big hole.

  3. How is someone running Linux supposed to even contract this? Is it done simply in the browser somehow through flash? It seems that the user would have to save an attachment, change its properties to allow execution, run it, and then supply a supervisor password.

  4. I have now looked at 3 articles on this – most probably based on this.

    NOWHERE is there actionable information. How is it being spread, what will detect it, what mitigating steps can be taken?

    It is really useless to publish this kind of thing without such information.

    1. Stay tuned – the FraudAction team is following up with a more technical deep dive on this one very soon. As it’s still so new, there’s a lot to comb through including the obligatory reverse engineering of the trojan itself.

  5. Is the trojan an executable with hooks into Firefox or what? Have samples been given to the developer of rkhunter? What is your policy with sharing to Linux security engineers so that we can counter these threats? We’d kind of like details here in order to know how bad the potential threat is.

  6. In my opinion, problem with Windows is also because it has a large user base that consits of a chunk of naive population. As Linux desktop grows, we’ll see the migration of this naive population to Linux as well. And trust me they will even run “rm -rf /” without thinking twice.

  7. How does it infect the system? Does the user have to manually enter the root password to install it, or does it exploit a vulnerability to install itself without user intervention?

  8. How does the C&C work? Does the “anti-research” toolbox hide the trojan in any effective way on linux? Does the trojan seem to be targetting banking servers? inquisitive minds would like to know.

  9. Do they claim that it works also on other POSIX complaint OS beside GNU/Linux e.g. Solaris, {Free|Net|Open}BSD, OSX (Apple), and Darwin.

  10. I heard about this from the “Going Linux” podcast and its very disturbing especially as a lot of web sites are built on top of Linux. I have some questions:
    1. Assuming you don’t use the root user to browse the internet, one would assume that files are limited to user owned files and directories. Would deleting the user directory remove the virus?
    2. Do you know where the virus installs to?
    3. Does it just operate on the desktop or does it extend to server systems that ?

    James Harrison