Thanatos: Malware that Attacks Malware

Hi everybody,

Thanatos is a new strain of malware that can scan a target network for other malware and it gets its ability to target other malware through the use of intelligent plugins. It’s named after the Greek God of death for this reason. Reportedly the malware is available at the ‘crimeware underground’ systems and is offered at a price of $1,000 per month or $12,000 for a lifetime subscription.

Thanatos indicates characteristics of a multi-staged malware commonly found in Advanced Persistent Threat (APT) technology; Where this malicious software has power is in its ability to obliterate what we typically call ‘low-level’ attacks.

Nitsan Saddan, Head of threat intelligence research at Cymmetria  explained in a post, “Thanatos uses 3-8 hardcoded flags to find malware by searching the host’s task scheduler, services and registry. Once a suspicious signature is detected, Thanatos selectively uploads it to to make sure it’s malicious and then erases it from the host. Another interesting feature is its ability to remove hooks placed by competing malware, in order to avoid data theft by other criminals.”

He further explains that Thanatos was written in the C++ and Delphi languages as well as Microsoft Macro Assembler (MASM), an x86 assembler that uses the Intel syntax for MS-DOS and Microsoft Windows. This means “every version of Windows (from XP onward)” can be hacked. The malware can  also inject malicious code into Internet Explorer, Microsoft’s new Edge browser, Google Chrome and Firefox.

Lee Munson, Researcher at  asserted that cybercriminals have one aim in mind that is return on that investment “That means avoiding detection for as long as possible in order to acquire as much valuable data as possible but, more than that, it also needs to be first to market with that data; after all, who will pay top dollar for information already stolen by the competition, using a different type of malware? That’s where Thanatos comes in”

Richard Cassidy, technical director EMEA, Alert said “It’s a mercenary world in the cyber-criminal domain; it is no wonder, therefore, that we are now seeing a strain of ‘super malware’ that works to ensure it’s own foothold is not compromised even when another bad actor group may already have compromised the target. There are key attributes that this new strain of ‘super malware’ exhibits, that with the right visibility capabilities, continuous monitoring and review process, will place organisations in a much better position to detect indicators of compromise and as such be able to enact a well defined incident response plan to mitigate the threat,”.

He pointed out that  APT’s are created with great deal of research and development efforts and are designed to bypass modern security tools.

“That said however, in the age of big-data analytics, we are now placed, better than ever before, to have complete visibility of every transaction to and from our key assets in cloud, hybrid or on-premise environments,” he added.

Finally, researcher Sadan commented that this threat can be dealt with by properly training employees and by adding a layered deception elements to the company’s defense grid; by targeting the attacker and not just this attack, you can defend against dynamic threats such as this.

Source: Akati

Comments are closed.