TR-15 - Hand of Thief/Hanthie Linux Malware - Detection and Remediation

TR-15 - Hand of Thief/Hanthie Linux Malware - Detection and Remediation

Back to Publications and Presentations

  1. Overview
  2. Detection
  3. Remediation
  4. Contact
  5. Classification of this document
  6. Reference
  7. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

A recent Linux malware targeting Linux desktop users has been seen in some forums. The malware is called “Hand of Thief” or Hanthie. Usually Linux malware tends to compromise Linux server installations and not desktop users. But in the case of Hanthie, it’s different, the malware is targeting Linux desktop installations. The core functionalities of the malware are form and cookie grabbing in Firefox, Chrome and Chromium. There is a backdoor functionality to access the PC via a reverse shell or via a SOCKS connection.

Detection

The known version of Hanthie is starting processes using a fake Kernel process in user-space called [flush-8:0] and starting from the init process instead of the kernel process. So the current detection can be performed from user-space with the following script:

    if [[ $(ps -eaf|grep "\[flush" | tr -s " "  |cut -d" " -f 3|grep ^1$) ]];   then echo "Infection suspected";   else echo "No infection suspected"; fi

Remediation

CIRCL usually recommends to reinstall the complete system in case of an infection detected, because it’s unknown if additional components are loaded/installed. Nevertheless, there is a simple method to remove all the initial Hanthie processes and the starting scripts in case of infection:

    kill $(ps -eaf|grep "\[flush"| tr -s " "  |cut -d" " -f 2,3 | grep " 1$"|cut -d " " -f1)
    rm ~/.config/autostart/system-firewall.s3cr3t_b0t_k3y.desktop
    rm ~/.config/.System-Firewalls/system-firewall.s3cr3t_b0t_k3y.config

Contact

  • If you detect such malware in your infrastructure, CIRCL is interested to obtain samples that would help to better detect newer or other version of this malware.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Reference

Revision

  • Version 1.0 August 28, 2013 Initial version (TLP:WHITE)