Hand of Thief Linux Trojan fails to work as promised

RSA researchers have recently spotted a banking Trojan targeting Linux systems being sold online by a cybercrime team based in Russia.

Dubbed Hand of Thief by its creator(s), the malware apparently has form grabbing and backdoor capabilities, and is able to block the victims’ access to hosts offering AV solutions and security updates. It also purportedly works on 15 different Linux desktop distributions and supports 8 different desktop environments.

Well, the same researchers have managed to get their hands on the HoT Trojan builder, allowing them to build, test and analyze HoT binaries – and the verdict is not good for the creator, sellers or the buyers.

“The Trojan’s executable is a 32-bit compiled ELF, and as such, will only run on 32-bit versions of the Linux OS (running HoT on a 64-bit machine would require some workarounds),” Yotam Gottesman, a senior researcher with RSA FraudAction Research Labs, explained in a blog post.

As far as the configuration file is concerned, the difference between this malware and similar ones is that the file is embedded into the binary by its builder – meaning that in order to change the information in it, the botmaster must build a new version of the binary and update its botnet with it.

The file is also versatile, and allows the botmaster to make a number of changes to the functioning of the malware, including updating a list of URLs which the Trojan is to block access to (e.g. sites for downloading AV updates).

“This part of the Trojan’s functions was accurately described by its vendor and confirmed by the actual analysis of the builder and config file,” Gottesman notes, and adds that also (as announced) the developer is working at implementing the web-injection mechanism for the Trojan.

But the promise of it working on a variety of Linux desktop distributions, environments and browsers has not been fulfilled.

They tried to run the binary on a couple of test machines running Fedora 19 and Ubuntu 12.04, and default Firefox and Google Chrome versions, but the browsers either freezed or crashed, or the malware was able to grab requests indiscriminately, quickly creating clutter at the drop server, or the malware didn’t work at all because of the OS’ protection mechanism. On one occasion, it even showed a “greeting” screen on the infected machine’s active terminal – and all of this isn’t very conducing to a stealthy and successful operation.

“Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data. Furthermore, HoT can also be easily removed from the machine by deleting the files dropped during the HoT installation process,” Gottesman points out.

“Hand of Thief’s developer claims that he is in the final stages of implementing a web-injections mechanism, but since the Form grabber he designed is not functional on the browsers he claims to have tested, the injections are not very likely to work either.”

Don't miss