“Our research and analysis shows that, in reality, HoT’s grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan,” said said Yotam Gottesman, senior security researcher at RSA’s FraudAction Research Labs, in a forensic analysis.
Hand of Thief was advertised as a banking trojan by its developer, programmed to be a form grabber and backdoor. It has yet to be deployed in the wild, and there’s a likely reason why. In testing on two machines, it had difficulty returning data to its command-and-control (C&C) servers. In some cases its missives were blank. When it was successful, it delivered unfiltered data that would require hours of sifting by the user to pick out relevant information.
“When using Firefox on the infected machine, HoT captured only empty requests with no information being delivered to the drop server,” Gottesman said. “When browsing with Google Chrome HoT did manage to capture some requests and relay them to its server. In both cases, the Trojan worked without a trigger list or any other way to filter the information its operator would be interested to collect; this means that the malware captured every single request from the browser in a very generic manner (even sending the drop zone pages that were browsed as part of a session). Grabbing requests in this manner will quickly clutter the drop server with useless data.”
On both machines, instead of operating smoothly, on most occasions it caused the browser to freeze, or even crash without any reason that would be apparent to the user – and a big red flag.
“Since Trojans are meant to be as silent as possible and not show any malfunction of the PC, Hand of Thief’s issue with making the browser freeze or crash altogether is likely to cause the user to run security software on the PC or install another browser, likely causing the malware to stop functioning,” the researcher noted.
Other issues include the fact that it will only run on 32-bit versions of the Linux OS (running HoT on a 64-bit machine would require some workarounds). And, HoT’s developer said that he is in the final stages of implementing the web-injection mechanism for the malware. RSA’s research, however, proved that no injections are in place, though the preparation for such a mechanism is.
“Hand of Thief’s developer claims that he is in the final stages of implementing a web-injections mechanism, but since the Form grabber he designed is not functional on the browsers he claims to have tested, the injections are not very likely to work either,” Gottesman said.
There are other essential issues with the trojan as well in terms of infection vectors: the Linux platform does not have the same type of commercial exploit packs for use in mass drive-by-download campaigns (the most popular infection method for the Windows OS). Moreover, Hand of Thief’s developer did not offer a recommended infection method, other than sending the trojan via email and using some social engineering to have the user launch the malware on their machine.
“Hand of Thief has come to the cybercrime underground at a time when commercial Trojans are high in demand, stirring some excitement amongst criminals. Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data,” Gottesman concluded. “Furthermore, HoT can also be easily removed from the machine by deleting the files dropped during the HoT installation process.”