Linux 'Hand of Thief' Trojan offered for sale at $2,000 a time

Russian gang tries its luck

Researchers have discovered a Trojan capable of attacking multiple Linux distros being offered for sale by enterprising Russian criminals for $2,000 (£1,300) a time. Time for Linux users to worry or is this another speculative attack?

Linux malware has hitherto been a vanishingly small subject with most of the recent examples being attacks on Apache web servers. When desktop-oriented attacks turn up they are usually experimental, the work of a curious programmer that are not heard of again. A good example would be the Snasko rootkit from 2012.

What has been discovered by RSA is a malware-building kit for a programme called 'Hand of Thief', the name given to the platform by its creators rather than the researchers.

The malware is designed to steal data from Linux systems, apparently running any one of 15 distributions and eight environments (i.e Gnome, KDE) the developer claims to have tested it on, including Ubuntu, Fedora and Debian.

Specifically, it includes a form-grabbing function for use against Firefox, Chrome and Linux-only browsers such as Chromium, Aurora and Weasel, including capturing HTTPS sessions. In non-technical parlance, it will steal any credentials it can under the directions of a bot system which collects what it steals in an SQL database.

"Writing malware for the Linux OS is uncommon, and for good reason. In comparison to Windows, Linux's user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains," said RSA cyber intelligence expert, Limor Kessem.

"Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users."

The criminals selling Hand of Thief thought that infecting Linux systems was likely to be so difficult that an attacker would need to use social engineering to install the malware, she said.

The criminals developing the software suggest it could eventually be turned into a banking malware platform at which point the price would rise to $3,000 a time plus a further $550 for upgrades.

How seriously should Linux users take this kind of threat? It looks as if the crime ware group has got ahead of itself. Kessem notes that even the $2,000 price is expensive by malware standards while the idea of targeting a small base of Linux users with commercial banking malware sounds fanciful.

Why buy software to target 0.5 percent of the world's desktops when a programme costing a third as much can be used to attack the 94 percent running Microsoft's software?

If Linux users were to have any attraction to criminals it would likely be to steal server and system credentials to be used as part of a recon in advance of an APT-style attack.

"Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty," said Kessem.

Join the CSO newsletter!

Error: Please check your email address.

Tags Firefoxsecurityfedorasoftwareoperating systemsubuntu

More about ApacheAPTDebianFedoraKDEKDELinuxMicrosoftRSAUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts