A Russian group of cyber crooks is selling a new banking Trojan - in a fully-fledged commercial operation that offers support, sales and development.
Coming hot on the heels of the KINS Trojan that ITWeb reported on a couple of weeks ago, Hand of Thief is designed to steal information from machines running Linux OS.
The Trojan's basic administration panel allows the "botmaster" to control the infected machines. Hand of Thief collects the stolen credentials and stores the information in a MySQL database.
The Trojan is selling for $2 000 in closed cyber crime communities, and boasts free updates.
Limor Kessem, one of RSA's cyber security experts, says in her blog its current functionality includes backdoor capabilities, as well as form-grabbers. RSA expects it will soon feature a new suite of Web injections that would elevate it to a full-function banking Trojan.
Should this happen, Kessem expects the price to increase to $3 000, with an extra $550 outlay for every major version release.
However, as she says these prices are similar to those charged by developers of a similar piece of malware targeting Windows OS, Hand of Thief is priced above market value, due to the relative unpopularity of the Linux OS.
Although commercial Trojans are high in demand at the moment, Linux malware is uncommon, and for good reason, claims Kessem.
"In comparison to Windows, Linux's user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users," she says.
In addition, no "significant" exploit packs exist that target the Linux platform. Without this, it is difficult to infect Linux users. Kessem had a conversation with the one of the Trojan's "sales agents" who said e-mail and social engineering would be the best possible infection vectors.
The Trojan's authors say they have tested the Trojan on 15 different Linux desktop distributions and claim it supports eight different desktop environments.
Hand of Thief's current features reveal similarities to a banking Trojan, including a form-grabber for both HTTP and HTTPS sessions. It also supports the major browsers, and other Linux-specific browsers.
It employs a feature similar to the notorious Citadel Trojan - block lists that prevent access to specific hosts, designed to isolate bots from AV updates. Other features include an anti-research toolbox, which includes anti-VM, anti-sandbox and anti-debugger.
Share
