Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Banking Trojan Targets Linux Users

Researchers from RSA have uncovered a new banking Trojan designed to steal information from machines running the Linux operating system.  

Dubbed “Hand of Thief”, the Trojan is reportedly being sold in closed cybercrime communities for $2,000 with free updates.

Researchers from RSA have uncovered a new banking Trojan designed to steal information from machines running the Linux operating system.  

Dubbed “Hand of Thief”, the Trojan is reportedly being sold in closed cybercrime communities for $2,000 with free updates.

“The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future, ” Limor Kessem cyber Intelligence expert at RSA, explained in a blog post.

Assuming development continues and the new Trojan becomes fully functional, RSA expects the price to increase to $3,000, along with a $550 for major version releases, prices that coincide with other similar malware that targets Windows.

Linux MalwareAccording to RSA, the developer behind Hand of Thief claims it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. The malware also reportedly supports 8 different desktop Linux environments, including Gnome and Kde.

RSA researchers got their hands on the malware builder along with the server side source code, which allowed them to see some of the features that include:

• Form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.

• Block list preventing access to specified hosts (a similar deployment used by the Citadel Trojan to isolate bots from security updates and anti-virus providers)

• Backdoor, backconnect and SOCKS5 proxy

Advertisement. Scroll to continue reading.

• Anti-research tool box, which includes anti VM, anti-sandbox and anti-debugger

In terms of backend features, the developer has already put together a basic administration panel for the Trojan, which enables the botmaster to control the infected machines reporting to it. According to Kessem, the control panel shows a list of infected machines (bots), and provides a querying interface, along with other basic bot management options.

In addition to having cookie-stealing functionality, information captured by Hand of Thief’s command and control infrastructure includes stolen credentials which are stored in a MySQL database, along with other details including timestamp, user agent, website visited and POST data.

“Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason,” Kessem wrote. “In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector.”

Hand of Thief is not alone in being an emerging banking malware threat. Late last month, another new professional-grade banking Trojan was uncovered that RSA researchers said could soon rival Zeus, SpyEye and Citadel in how effectively it spreads. Dubbed KINS, the banking Trojan has several features in common with Zeus and SpyEye, as well as having a similar DLL-plugin-based architecture.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.