{ "id": "da142cfe-80cf-4f36-aff0-9bc6b0e80c7c", "created_at": "2026-04-06T00:22:11.292663Z", "updated_at": "2026-04-10T03:36:47.953394Z", "deleted_at": null, "sha1_hash": "b48c0cbf37f17205361c53ee452336f268c40bf7", "title": "Linux Trojan “Hand of Thief” ungloved", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 170874, "plain_text": "Linux Trojan “Hand of Thief” ungloved\r\nBy Threat Intelligence Team 27 Aug 2013\r\nArchived: 2026-04-05 20:06:27 UTC\r\nLinux Trojan “Hand of Thief” ungloved\r\nA new threat for the Linux platform was first mentioned on August 7th by RSA researchers, where it was dubbed\r\nHand of Thief. The two main capabilities of this Trojan are form-grabbing of Linux-specific browsers and entering\r\na victim's computer by a back-door. Moreover, it is empowered with features like anti-virtualization and anti-monitoring. With the level of overall sophistication Hand of Thief displays, it can be compared to infamous non-Windows threats such as the FlashBack Trojan for MacOsX platform discovered last year or Trojan Obad for\r\nAndroid from recent times.\r\nA detailed analysis uncovers the following structure of the initial file with all parts after the dropper being\r\nencrypted (hexadecimal number displays starting offset of a block):\r\nRunning the program on a native Linux system with parameter \"-v\" displays the version info \"0.1.0.7\".\r\nDropper and Self-Protection\r\nThe dropper is obfuscated with the UPX packer so the executable is not available for a static analysis. We make it\r\nso by applying the original UPX program with parameter -d on a sole dropper part of the initial binary. The\r\nreadability of almost all character strings is hardened by a XOR encryption with a varying 8-bit key. This is a very\r\ncommon property shared both among Windows and non-Windows Trojans.\r\nImmediately after start, the Trojan checks if it does not run in a virtualized environment. Realization of this aim\r\ndepends on virtualization software: To search for a substring \"VBOX\" and \"VMware\" in the listed SCSI devices\r\n(to suppress this check it is enough to unset read privileges on the file /proc/scsi/scsi ); to look for a substring\r\nhttps://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/\r\nPage 1 of 6\n\n\"UML\",\"PowerVM Lx86\", \"QEMU\" or \"IBM/S390\" in /proc/cpuinfo file; to check an access to /proc/vz or\r\n/proc/bc which exist if OpenVZ kernel is running:\r\nThe presence of any of these signs leads to an early end of execution. The Trojan also exits if the root directory is\r\nchrooted by comparing particular lines in /proc/1/mountinfo and /proc/\\\u003cgetpid()\u003e/mountinfo. Chrooting is\r\nbasically a security feature where a running process does not have access to the root directory but to another\r\nbranch of a file system tree that acts as one.\r\nThen it decrypts the config file appended at the end of the binary (starting on the offset 0x24244 with the length of\r\n0x1E0) and it initializes its global variables with entries from the config file (values are resolved using regcomp,\r\nregexec and regfree command). We analyzed a sample with the following one (a private IP serving for C\u0026C\r\nwhispers that this bot is in debug process and not in the wild):\r\nhttps://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/\r\nPage 2 of 6\n\nTo achieve persistence after reboot, the Trojan is suspected to create a configuration file called system-firewall.desktop within the path ~/.config/autostart containing the following setting (%s is appropriately changed):\r\n[Desktop Entry]\r\nEncoding=UTF-8\r\nType=Application\r\nExec=%s\r\nTerminal=false\r\nName=System Firewall\r\nStartupNotify=false\r\nThe step that follows is the installation of modules containing the main functionality into the /tmp/ directory and\r\nchanging access permissions with a command chroot with parameter -x. The procedure consists of mapping the\r\nbinary into the memory and copying a relevant part to a buffer that is decrypted by AES with a 256bit key. For the\r\nexecutable of a length 24848 it is performed like this (the marked values denote the target file name, the starting\r\noffset in the binary and the access permission):\r\nhttps://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/\r\nPage 3 of 6\n\nThe shared object is injected in every process whose name does not contain substring gnome-session, dbus or\r\npulseaudio. The injection is performed with a method similar to the one described on Blackhat 2001 by Shaun\r\nClowes. The reimplementation is available on github.\r\nCore Functionality\r\nThe shared object starts two threads. The first one is called aaa, and it listens to a command from C\u0026C to execute\r\nan action: bc command triggers BackConnect daemon called p0stfix serves as a reverse shell with a victim\r\nconnecting to a particular socket; bind command starts BindPort daemon called unix-daemon acting as a bind shell\r\nwith an attacker receiving the content of an output of a shell (after the correct authentication); socks executes a\r\nproxy via custom implementation of SOCKS5 protocol. All these features are realized through embedded perl\r\nscripts. Another commands with names d_exec and update, and they would try an execution of newly downloaded\r\nfiles from a C\u0026C server.\r\nThe second thread is denoted bbb. It performs the injection of the shared object starting on the offset 0x19CF4\r\ninto running browsers mapping space by the same method mentioned above. This serves as an initialization of the\r\nform-grabbing feature. Supported browsers are Chromium, Chrome and Firefox. The intervention of data submits\r\nof the Firefox browser is realized as the redirection of program flow of original libnspr40.so!PR_Write function to\r\na custom implementation hPR_Write_ptr of Trojan:\r\nhttps://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/\r\nPage 4 of 6\n\nIntercepted data, statistics of bots execution, and command from C\u0026C are all interpreted via a custom\r\ncommunication protocol based on AES encryption with 256bits keys combined with Base64 encoding:\r\nhandofthief_HTTP_encrypt_AES\r\nMoreover, we observed an anti-monitoring check (no communication if wireshark or tcpdump is running):\r\nFinally, the exported function drow_image displays an about info in a form of nice ASCII art that confirms the\r\ncreativity of the author (an owl sitting on a tree can be recognized):\r\nhttps://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/\r\nPage 5 of 6\n\nConclusion\r\nThe Linux operating system is designed to have high level of security. However, this year a few attempts to attack\r\nWeb servers by backdoors redirecting traffic or malicious apache modules have been discovered. The aim of this\r\nTrojan is to compromise user desktop systems. With features designed to abuse sensitive browser information, it\r\ncould advance Linux users a step forward in this specific environment. The same threatening environment in\r\nwhich Windows users have existed for years. The statement that the Linux platform is absolutely secure now\r\nseems even more illusive.\r\nSources\r\nSHA256 hashes of some selected samples:\r\nAcknowledgements\r\nThanks goes to my colleague, Pavel Šrámek, for discussions about the Linux platform.\r\nAdd your comments here, or read what others have to say on the AVAST Facebook page.\r\nThank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun,\r\nand contest information, please follow us on Facebook, Twitter, Google+ and Instagram.\r\nSource: https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/\r\nhttps://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/" ], "report_names": [ "linux-trojan-hand-of-thief-ungloved" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434931, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b48c0cbf37f17205361c53ee452336f268c40bf7.pdf", "text": "https://archive.orkl.eu/b48c0cbf37f17205361c53ee452336f268c40bf7.txt", "img": "https://archive.orkl.eu/b48c0cbf37f17205361c53ee452336f268c40bf7.jpg" } }