Security Experts:

Connect with us

Hi, what are you looking for?



New Banking Trojan Targets Linux Users

Researchers from RSA have uncovered a new banking Trojan designed to steal information from machines running the Linux operating system.  

Dubbed “Hand of Thief”, the Trojan is reportedly being sold in closed cybercrime communities for $2,000 with free updates.

Researchers from RSA have uncovered a new banking Trojan designed to steal information from machines running the Linux operating system.  

Dubbed “Hand of Thief”, the Trojan is reportedly being sold in closed cybercrime communities for $2,000 with free updates.

“The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future, ” Limor Kessem cyber Intelligence expert at RSA, explained in a blog post.

Assuming development continues and the new Trojan becomes fully functional, RSA expects the price to increase to $3,000, along with a $550 for major version releases, prices that coincide with other similar malware that targets Windows.

Linux MalwareAccording to RSA, the developer behind Hand of Thief claims it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. The malware also reportedly supports 8 different desktop Linux environments, including Gnome and Kde.

RSA researchers got their hands on the malware builder along with the server side source code, which allowed them to see some of the features that include:

• Form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.

• Block list preventing access to specified hosts (a similar deployment used by the Citadel Trojan to isolate bots from security updates and anti-virus providers)

• Backdoor, backconnect and SOCKS5 proxy

• Anti-research tool box, which includes anti VM, anti-sandbox and anti-debugger

In terms of backend features, the developer has already put together a basic administration panel for the Trojan, which enables the botmaster to control the infected machines reporting to it. According to Kessem, the control panel shows a list of infected machines (bots), and provides a querying interface, along with other basic bot management options.

In addition to having cookie-stealing functionality, information captured by Hand of Thief’s command and control infrastructure includes stolen credentials which are stored in a MySQL database, along with other details including timestamp, user agent, website visited and POST data.

“Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason,” Kessem wrote. “In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector.”

Hand of Thief is not alone in being an emerging banking malware threat. Late last month, another new professional-grade banking Trojan was uncovered that RSA researchers said could soon rival Zeus, SpyEye and Citadel in how effectively it spreads. Dubbed KINS, the banking Trojan has several features in common with Zeus and SpyEye, as well as having a similar DLL-plugin-based architecture.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.