Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Reach of ‘Hand of Thief’ Banking Trojan Exceeds Grasp: RSA

Researchers at EMC’s RSA Security Division slapped down the ‘Hand of Thief’ [HoT] banking Trojan in an updated analysis of the malware’s capabilities.

Researchers at EMC’s RSA Security Division slapped down the ‘Hand of Thief’ [HoT] banking Trojan in an updated analysis of the malware’s capabilities.

RSA first noted the appearance of the malware in Russian cyber-underground marketplaces in late July. Shortly thereafter, RSA reported that the Trojan – which is focused on stealing information from machines running Linux – includes form grabbers and backdoor capabilities and was expected to “graduate to become full-blown banking malware in the very near future.”

Now however, in an updated analysis, the company said that the Trojan seems more like a prototype than a finished product.

“Our research and analysis shows that, in reality, HoT’s grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan,” blogged Yotam Gottesman, senior security researcher at RSA FraudAction Research Labs.

“In his sales adverts, Hand of Thief’s developer explained that he is in the final stages of implementing the web-injection mechanism for the malware,” Gottesman added. “Researching the Trojan proved that no injections are currently in place, but the preparation for such a mechanism is.”

The infection method for the malware is still primitive, the researcher added, and Hand of Thief’s developer did not offer as recommended infection method other than sending the Trojan via email and using social engineering to trick the user into launching the malware on their machine.

Still, the Hand of Thief malware does have some elements attackers will covet. For example, the malware’s binary reveals it is packed to protect the actual malware from being discovered and blocked by security processes on the machine. In addition, before running on a machine, the malware tests whether or not it is running within a virtual environment.

In addition, like other commercially-available Trojans, Hand of Thief includes a builder that gives cyber-criminals the power to create new variants of the malware on demand.

“Hand of Thief has come to the cybercrime underground at a time when commercial Trojans are high in demand, stirring some excitement amongst criminals,” Gottesman blogged. “Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data. Furthermore, HoT can also be easily removed from the machine by deleting the files dropped during the HoT installation process.”

More on the Trojan can be found here.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.