Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD

Just two weeks after reporting about the commercialization of the KINS banking Trojan, RSA reveals yet another weapon to be used in a cybercriminal’s arsenal.

It appears that a Russia based cybercrime team has set its sights on offering a new banking Trojan targeting the Linux operating system. This appears to be a commercial operation, which includes support/sales agents and software developer(s).

Meet the “Hand of Thief” Trojan 

Meet the "Hand of thief" Trojan

Hand of Thief is a Trojan designed to steal information from machines running the Linux OS. This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates. The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future. At that point, the price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major version release. These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux.

Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD | RSA Blog

Carberp source code confirmed leaked

Carberp trojan

Last week rumors started circulating that the source code for the crimekit known as “Carberp” was leaked on the net. However, the code resided inside password protected zip file so it could not be confirmed that the leak was genuine. A very similar situation as when the source code for ZeuS was leaked.

CSIS have been investigating this further and now confirms that we have the complete source code for Carberp and that the code compiles and works just as descripted in the associated text files included in the package. The package also include the Carberp bootkit along with other source codes for what seems to be e.g. Stone bootkit, Citadel, Ursnif etc. The package is currently undergoing deeper analysis. We also found several text files containing apparently private chats and various usernames and passwords for several FTP servers. 

Source: Carberp source code confirmed leaked | CSIS

The most sophisticated Android Trojan

Android Trojan

Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.

The file turned out to be a multi-functional Trojan, capable of the following: sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. Now, Kaspersky Lab’s products detect this malicious program as Backdoor.AndroidOS.Obad.a.

Source