In Greek Mythology, Thanatos was a minor figure and daemon personification of death. He always had a strained relationship with the man at the top, Zeus. In the Malware world, Zeus is about to be overthrown.

In 2014, the FBI and UK NCA (National Crime Agency) spent exhaustive resources taking down two of the world’s most dangerous financial fraud operations: the Gameover Zeus botnet and the Cryptolocker ransomware network. Zeus was responsible for millions of infections in a little under three years. During that time it was able to defraud customers of hundreds of financial establishments across the globe.  Now, this monster of a malware is about to be replaced. Allow me to introduce our next at bat and what I’m going to call the malware of 2016 : Thanatos.

Last month researchers over at Proofpoint came across a never before documented malware strain that was dropped by the Nuclear exploit kit. It’s being marketed in the underground as both a service and subscription with extensive support and development both in plugins and functionality. This really makes it a one stop shop for cyber criminals who are after a specific, long term objective.

From the original vendor posting [1]

SOCKS4b/5
– This plugin will bypass NAT/Network Firewall
– It will work with a back-connect server and not through SSH

HiddenVNC
– This will not be a rip-off of Zeus like everyone before us
– We plan to make ours much more stable in terms of connection speed & encoding quality
– This plugin will not require admin permissions and but will require a back-connect server

HiddenFTP
– This will be a plugin similar to that of the Ramnit botnet
– You will be able remotely download/upload files from the victim you choose
– This plugin will not require admin permissions but will require a back-connect server

Anti-hook: Removes hooks in target processes from other bots so that no one (other bots on same victim) will have your logs

Bot-killer: AV-Module will scan for other bots on the system, and will remove them once detected (scans task scheduler, registry, services (if admin), and environment variable paths). If the process is considered malicious (from 3-8 hardcoded flags), it will upload file to virustotal.com and parse results from page, if detection on > 3 AV’s then malicious file will be removed from system.

The final two portions of that posting are terrifying. A malware that can scan for other bots and remove them if detected will help it remain inconspicuous to the user. These features will make this one of the most profitable and frustrating pieces of malware in 2016.  With the functionality to disrupt every major version of Windows (including the 8 month old Edge browser) and a pretty cheap price tag (12,000 USD for a lifetime license), get ready to start calling vendors for patches.  I’ll give it about 60 days before financial, technology, and healthcare start seeing this, and 90 days before it hits government.  This malware, as stated in the advertisement posted at Proofpoint, makes a reference to the Zeus botnet, stating that it will not be just another copy.

If you are a security professional, do NOT look at this like the same rip-offs we’ve seen in the past two years. It’s new, it’s different, and it’s going to be painful.

[1] Proofpoint https://www.proofpoint.com/us/threat…an-Hits-Market