Security Experts:

New Banking Trojan Targets Linux Users

Researchers from RSA have uncovered a new banking Trojan designed to steal information from machines running the Linux operating system.  

Dubbed “Hand of Thief”, the Trojan is reportedly being sold in closed cybercrime communities for $2,000 with free updates.

“The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future, ” Limor Kessem cyber Intelligence expert at RSA, explained in a blog post.

Assuming development continues and the new Trojan becomes fully functional, RSA expects the price to increase to $3,000, along with a $550 for major version releases, prices that coincide with other similar malware that targets Windows.

Linux MalwareAccording to RSA, the developer behind Hand of Thief claims it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. The malware also reportedly supports 8 different desktop Linux environments, including Gnome and Kde.

RSA researchers got their hands on the malware builder along with the server side source code, which allowed them to see some of the features that include:

• Form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.

• Block list preventing access to specified hosts (a similar deployment used by the Citadel Trojan to isolate bots from security updates and anti-virus providers)

• Backdoor, backconnect and SOCKS5 proxy

• Anti-research tool box, which includes anti VM, anti-sandbox and anti-debugger

In terms of backend features, the developer has already put together a basic administration panel for the Trojan, which enables the botmaster to control the infected machines reporting to it. According to Kessem, the control panel shows a list of infected machines (bots), and provides a querying interface, along with other basic bot management options.

In addition to having cookie-stealing functionality, information captured by Hand of Thief’s command and control infrastructure includes stolen credentials which are stored in a MySQL database, along with other details including timestamp, user agent, website visited and POST data.

“Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason,” Kessem wrote. “In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector.”

Hand of Thief is not alone in being an emerging banking malware threat. Late last month, another new professional-grade banking Trojan was uncovered that RSA researchers said could soon rival Zeus, SpyEye and Citadel in how effectively it spreads. Dubbed KINS, the banking Trojan has several features in common with Zeus and SpyEye, as well as having a similar DLL-plugin-based architecture.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.