The Hand of Thief uses a form grabber to steal IDs, passwords and other information pertaining to Internet banking. The crimeware detects Internet banking information while the user enters it into a browser form, capturing it along with identifying data and storing it in a MySQL database.
Hand of Thief's more advanced features include:
- Cookie stealing to allow it to masquerade as the customer.
- A back door with SOCK5 proxy to help avoid detection.
- Form grabbing that works not only in HTTP but HTTPS too.
- Blocking of communications to anti-virus and other software updates that could detect and remove it.
Hand of Thief includes a virtual machine and debugger check that detects if it may be running in a research sandbox environment. If a research environment is suspected, the software terminates execution to prevent researchers from learning about it.