A multicomponent Trojan for Linux. Once launched, it checks whether its process or a virtual machine are already running in the system. By creating the autorun file (for example, ~/.config/autostart/system-firewall.<string>.desktop) and copying itself to a disk folder (for example, ~/.config/.System_Firewall/system-firewall.<string>.config), the Trojan gets installed on the system. In the temporary folder, the malware creates an executable library and tries to inject this library into running processes. If the attempt fails, Linux.Hanthie runs a new executable file that resides in a temporary folder and is responsible for communication with the server. After that, the Trojan deletes the original copy of the file.
Into Firefox, Google Chrome, Opera, Chromium, and Ice Weasel, the Trojan embeds a grabber that intercepts information transferred via HTTP and HTTPS protocols and sends cybercriminals the data entered by the user into various forms. Linux.Hanthie can execute the following commands:
- socks—start a proxy server,
- bind—run a port listener script,
- bc—connect to the command and control server,
- update—download and install updates,
- rm—remove itself.