March 29, 2016

Malware KotH: Thanatos

In Greek Mythology, Thanatos was a minor figure and daemon personification of death. He always had a strained relationship with the man at the top, Zeus. In the Malware world, Zeus is about to be overthrown.

In 2014, the FBI and UK NCA (National Crime Agency) spent exhaustive resources taking down two of the world’s most dangerous financial fraud operations: the Gameover Zeus botnet and the Cryptolocker ransomware network. Zeus was responsible for millions of infections in a little under three years. During that time it was able to defraud customers of hundreds of financial establishments across the globe.  Now, this monster of a malware is about to be replaced. Allow me to introduce our next at bat and what I’m going to call the malware of 2016 : Thanatos.

Last month researchers over at Proofpoint came across a never before documented malware strain that was dropped by the Nuclear exploit kit. It’s being marketed in the underground as both a service and subscription with extensive support and development both in plugins and functionality. This really makes it a one stop shop for cyber criminals who are after a specific, long term objective.

From the original vendor posting [1]

– This plugin will bypass NAT/Network Firewall
– It will work with a back-connect server and not through SSH
– This will not be a rip-off of Zeus like everyone before us
– We plan to make ours much more stable in terms of connection speed & encoding quality
– This plugin will not require admin permissions and but will require a back-connect server
– This will be a plugin similar to that of the Ramnit botnet
– You will be able remotely download/upload files from the victim you choose
– This plugin will not require admin permissions but will require a back-connect server
Anti-hook: Removes hooks in target processes from other bots so that no one (other bots on same victim) will have your logs
Bot-killer: AV-Module will scan for other bots on the system, and will remove them once detected (scans task scheduler, registry, services (if admin), and environment variable paths). If the process is considered malicious (from 3-8 hardcoded flags), it will upload file to and parse results from page, if detection on > 3 AV’s then malicious file will be removed from system.

The final two portions of that posting are terrifying. A malware that can scan for other bots and remove them if detected will help it remain inconspicuous to the user. These features will make this one of the most profitable and frustrating pieces of malware in 2016.  With the functionality to disrupt every major version of Windows (including the 8 month old Edge browser) and a pretty cheap price tag (12,000 USD for a lifetime license), get ready to start calling vendors for patches.  I’ll give it about 60 days before financial, technology, and healthcare start seeing this, and 90 days before it hits government.  This malware, as stated in the advertisement posted at Proofpoint, makes a reference to the Zeus botnet, stating that it will not be just another copy.

If you are a security professional, do NOT look at this like the same rip-offs we’ve seen in the past two years. It’s new, it’s different, and it’s going to be painful.

[1] Proofpoint…an-Hits-Market

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

About Antifreke

SOC Ninja, Security Researcher, threat intelligence and OSINT advocate. Tea Junkie. Follow me on Twitter @Antifreke


Security Research


, ,