New Linux ‘Hand of Thief’ Trojan Appears

A new Trojan is on its way. Its name is Hand of Thief, and it will attack computers running on Linux operating system. Although the virus is only available on the Russian black market, it is expected that this situation will change in the future. The Trojan currently costs 2,000 USD, but it is predicted that the price will reach 3,000 USD once the development will be over. Furthermore, any updates of the Trojan will cost additional 550 USD.

Limor Kessem, security expert at RSA’s FraudAction research lab, released a statement on Wednesday. He claimed that the team of researchers from RSA has found out the server-side source code of the malware. This was achieved by performing reverse-engineering on the Trojan.

Hand of Thief is capable of gathering data from forms on HTTPS and HTTP. Furthermore, the malware can restrict access to particular hosts. The Trojan is also capable of avoiding antivirus programs or other security software. It has a feature which allows the Hand of Thief virus to detect sandbox, a virtual machine or running debuggers.

The virus attacks major internet browsers such as Google Chrome, Mozilla Firefox, but it is also capable of infiltrating Linux based browsers such as Aurora, Ice Weasel or Chromium. Moreover, the Hand of Thief Trojan is also compatible with distributions e.g. Ubuntu, Debian, Fedora as well as desktop features such as KDE and Gnome.

Once the PC is infected with the virus, the hacker has the ability to control the device. Furthermore, The Hand of Thief starts gathering and storing information such as credentials, user agent, timestamp, internet history, POST data as well as cookies- in a MySQL database.

The Trojan has the potential to cause a lot of damage in the future, but until then one more improvement should be made because the virus has a major disadvantage. The distribution of the Hand of Thieve virus is limited as it doesn’t possess the Web injection functionality. Nevertheless, speaking with Threatpost the developer of the Trojan stayed optimistic and claimed that such feature will be available in the near future.

Security expert, Kessem explained that, in today’s world,  the use of a virus without the Web injection functionality is very limited. The security procedures used in e-banking are becoming more and more sophisticated every year. As a result, in order to make a scam, criminals need to consider a lot of factors. Kessem added that social engineering has become an integral part of those scams as without it,  the money transactions wouldn’t be possible.

Currently, the buyers are tempted with lower prices and free updates. The Trojan developer already has the proxies and the backdoor, but the remaining capital is going to be crowdsourced. This is why the virus resembles Citadel Trojan, a major threat to PC users. There is a big uncertainty associated with the virus. No one can tell whether the Trojan is going to be profitable as the number of Linux users is not very big. That is why the price tags sound quite hefty. This situation is completely different from the Windows one, where the market is filled with various banking malware.

Kessem still has doubts whether the Trojan could be successful even if it was integrated into an exploit kit. He grounds his believes with the failure of Linux based attacks using a rootkit which were carried out in last November. The mentioned rootkit was investigated by CrowdStrike. The company discovered that the code of the virus was not very sophisticated. Furthermore, the capabilities of the rootkit are limited as it was not suitable for targeted attacks. Although the potential of the Hand of Thieve is much greater as the program is more sophisticated, it still remains unclear whether Linux based attacks will bring profits for the criminals.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>