Threat Management, Incident Response, Malware, TDR

“Hand of Thief” trojan sniffs out banking credentials of Linux users


Not long after the Windows-targeting banking trojan KINS hit the market, saboteurs have introduced new financial malware capable of infecting Linux users.

According to researchers at RSA, the trojan called “Hand of Thief” is being sold on Russian underground forums and will soon offer a “full-blown” suite of malicious features, making it comparable to other major, commercially available banking trojans.

Limor Kessem, a cyber crime and online fraud expert at RSA's FraudAction Research Lab, said in a Wednesday blog post that Hand of Thief is currently for sale for $2,000 – with standard functionalities, like form grabbers and backdoor infection vectors. In the “very near future,” however, its sellers will add a suite of web injections which should push the price up to $3,000, she revealed.

On invite-only cyber crime forums, the developer told potential buyers that the new trojan had been tested on 15 different Linux operating system distributions for desktop users, including Ubuntu, Fedora and Debian. Eight Linux desktop environments, including KDE and GNOME, also support the malware, she said.

The trojan archives stolen credentials and data – like timestamps, websites visited and cookies – in a MySQL database, an open-source database management system.

In a Friday email to, Kessem said that since Linux has a smaller user base (and, thus, a fewer number of potential victims for saboteurs) and is known for dispatching speedier patches given its open source nature, it's surprising that attackers developed a high-price banking trojan that specifically targets the operating system.

She said researchers are watching the threat closely as it could indicate that miscreants will increasingly turn to Linux to try to carry out fraud.

"It is quite rare to see real malware for Linux or any UNIX OS," Kessem said. "Programmers don't usually target it and cyber criminals don't aim for it because of the smaller user base."

Because of this, she believes attackers may be hard-pressed to earn massive returns on their investments, though that doesn't mean they won't try.

"In my opinion it will be harder for attackers to exploit Linux users in the traditional way (drive-by and email spam). Beyond the fact that open source gets quickly patched by the community, your everyday Linux user is savvier and more security aware, which makes one less likely to run an executable or open files from unsolicited email," she said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.