‘Hand Of Thief’ Trojan Targets Linux Users’ Bank Accounts

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Researchers surprised by high price of Linux Trojan selling for $2,000 on Russian underground forums

Russian underground crooks are selling a Trojan on dark web forums targeting bank accounts of Linux OS users, offering full services around it too.

The Hand of Thief malware is selling at $2,000 (£1290) but currently has limited functionality with form grabbers and some backdoor capabilities. But RSA, EMC’s security arm, believes it will be updated to gain web injection capabilities, to “graduate to become full-blown banking malware in the very near future”.

Malware - Fotolia: skull button © alekup #34457353When that happens, the price will rise to  $3,000. Another $550 will have to be paid for every major release after that.

Linux malware

The underground seller claimed to have tested the Trojan on 15 different Linux distributions, including the hugely popular Fedora and Debian versions.

The malware harvests logins, before sending them to a MySQL database along with other data, including related websites, POST data and timestamps.

RSA was surprised to see Linux malware selling for such a high price, given the comparatively lower use base of the open source OS and its frequent security updates.

“Since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform,” said Limor Kessem, cyber intelligence expert at RSA, in a blog post.

“In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector.

“Does Hand of Thief represent the early signs of Linux becoming less secure as cyber crime migrates to the platform?”

What do you know about Internet security? Find out with our quiz!