Researchers at EMC’s RSA Security Division slapped down the ‘Hand of Thief’ [HoT] banking Trojan in an updated analysis of the malware’s capabilities.
RSA first noted the appearance of the malware in Russian cyber-underground marketplaces in late July. Shortly thereafter, RSA reported that the Trojan – which is focused on stealing information from machines running Linux – includes form grabbers and backdoor capabilities and was expected to “graduate to become full-blown banking malware in the very near future.”
Now however, in an updated analysis, the company said that the Trojan seems more like a prototype than a finished product.
“Our research and analysis shows that, in reality, HoT’s grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan,” blogged Yotam Gottesman, senior security researcher at RSA FraudAction Research Labs.
“In his sales adverts, Hand of Thief’s developer explained that he is in the final stages of implementing the web-injection mechanism for the malware,” Gottesman added. “Researching the Trojan proved that no injections are currently in place, but the preparation for such a mechanism is.”
The infection method for the malware is still primitive, the researcher added, and Hand of Thief’s developer did not offer as recommended infection method other than sending the Trojan via email and using social engineering to trick the user into launching the malware on their machine.
Still, the Hand of Thief malware does have some elements attackers will covet. For example, the malware’s binary reveals it is packed to protect the actual malware from being discovered and blocked by security processes on the machine. In addition, before running on a machine, the malware tests whether or not it is running within a virtual environment.
In addition, like other commercially-available Trojans, Hand of Thief includes a builder that gives cyber-criminals the power to create new variants of the malware on demand.
“Hand of Thief has come to the cybercrime underground at a time when commercial Trojans are high in demand, stirring some excitement amongst criminals,” Gottesman blogged. “Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data. Furthermore, HoT can also be easily removed from the machine by deleting the files dropped during the HoT installation process.”
More on the Trojan can be found here.
