A recent Linux malware targeting Linux desktop users has been seen in some forums. The malware is called “Hand of Thief” or Hanthie. Usually Linux malware tends to compromise Linux server installations and not desktop users. But in the case of Hanthie, it’s different, the malware is targeting Linux desktop installations. The core functionalities of the malware are form and cookie grabbing in Firefox, Chrome and Chromium. There is a backdoor functionality to access the PC via a reverse shell or via a SOCKS connection.
The known version of Hanthie is starting processes using a fake Kernel process in user-space called [flush-8:0] and starting from the init process instead of the kernel process. So the current detection can be performed from user-space with the following script:
if [[ $(ps -eaf|grep "\[flush" | tr -s " " |cut -d" " -f 3|grep ^1$) ]]; then echo "Infection suspected"; else echo "No infection suspected"; fi
CIRCL usually recommends to reinstall the complete system in case of an infection detected, because it’s unknown if additional components are loaded/installed. Nevertheless, there is a simple method to remove all the initial Hanthie processes and the starting scripts in case of infection:
kill $(ps -eaf|grep "\[flush"| tr -s " " |cut -d" " -f 2,3 | grep " 1$"|cut -d " " -f1) rm ~/.config/autostart/system-firewall.s3cr3t_b0t_k3y.desktop rm ~/.config/.System-Firewalls/system-firewall.s3cr3t_b0t_k3y.config
- If you detect such malware in your infrastructure, CIRCL is interested to obtain samples that would help to better detect newer or other version of this malware.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Additional reference Linux Trojan “Hand of Thief” ungloved (avast! blog).
- Version 1.0 August 28, 2013 Initial version (TLP:WHITE)