Linux Bank Trojan 'Hand of Thief' debuts

Linux Bank Trojan ‘Hand of Thief’ debuts

Sometimes it’s easy to forget that malware targets other Operating Systems besides Windows. However, it does exist, and is equally potent in its malicious nature.

Researchers at RSA recently uncovered a new Linux Bank Trojan called “Hand of Thief”. Offered in closed cyber-crime communites, Hand of Thief “appears to be a commercial operation, which includes support/sales agents and software developer(s)”, according to Limor Kessem at RSA.

RSA researchers also claim to have the malware builder and some server-side code, but we haven’t managed to get a copy ourselves for analysis yet. In case you aren’t familiar, a builder is used to ‘build’ a custom bot executable. This is useful whenever you want to tailor a bot to beacon to a specific list of C2 servers, connect over several ports, etc.

Image: RSA

The Trojan comes with a big price tag ($2,000 USD) and has additional costs when you factor updates and possibly new modules added in the future. This seems rather high, as noted by RSA, for Linux malware due to a much smaller user-base than Windows.

I can’t argue much with that, considering there are numerous Trojans targeting Windows available at a much lower price point. For example, consider the infamous Zeus—a multi-purpose Trojan capable of steal banking information—is freely available to anyone who can find the leaked source code and compile it.

It also comes with an admin panel used by a botmaster to control bots, another common feature in every botnet or exploit kit. In order to properly store victim credentials, botmasters first need to create a MySQL database.

Kessem also states that a new surge in Linux malware like Hand of Thief and KINS might be early indicators the Linux OS is becoming more vulnerable to attack. Perhaps, but the presence of Linux malware alone implies the need for Linux malware protection, something offered by very few vendors.

RSA hasn’t released any detailed analysis on this malware as of yet, so stay tuned for any updates. To read the full article from RSA, click here.


Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell


Joshua Cannell

Malware Intelligence Analyst

Gathers threat intelligence and reverse engineers malware like a boss.