Hard on the heels of the discovery of the Russia-originated KINS banking trojan, a different Cyrillic cybercrime team has developed a financial Trojan targeting the Linux operating system.
The appropriately named ‘Hand of Thief’ Trojan is for sale in closed cybercrime communities for $2,000, with free updates, according to RSA cyber-intelligence expert Limor Kessem.
The functionality includes form-grabbers and backdoor capabilities for now, but it is expected that the trojan will have a new suite of web injections soon, she explained. It should, therefore, graduate to become full-blown banking malware in the very near future.
At that point, the price is expected to rise to $3,000, plus $550 per major version release.
Kessem said: "Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason.
"In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users.
"These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux."
Also, it is notable that there are not significant exploit packs targeting the Linux platform. "In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector," Kessem said.
However, with recent recommendations to leave the supposedly insecure Windows OS for the safer Linux distributions, Hand of Thief could represent the early signs of Linux becoming less secure as cybercrime migrates to the platform, she added.
Kessem said that the commercial operation includes support/sales agents and software developers. So far, the group said that the trojan has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. As for desktop environments, the malware supports eight different environments, including Gnome and Kde.
RSA researchers managed to obtain the malware builder, as well as the server side source code, and a preliminary analysis showed that the initial features include a form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.
It also offers a block list preventing access to specified hosts (a similar deployment used by the Citadel trojan to isolate bots from security updates and anti-virus providers), and an anti-research tool box, which includes anti-VM, anti-sandbox and anti-debugger.
The developer has also written a basic administration panel for the trojan, allowing the botmaster to control the infected machines reporting to it. The panel shows a list of the bots, provides a querying interface, and run-of-the-mill bot management options.
The Trojan’s infrastructure collects the stolen credentials and stores the information in a MySQL database. Captured data includes information such as timestamp, user agent, website visited and POST data. Hand of Thief also exhibits cookie-stealing functionality.