Rise of the malware-hunting malware

Rise of the malware-hunting malware

(Originally published on VentureBeat)

Imagine this scenario: A criminal breaks into a bank and finds another criminal already hard at work cracking the safe. What would happen next? Would they collaborate, or attack each other? Share the loot? Anything’s possible when it comes to thieves meeting in person. But what happens when the crooks aren’t people, but rather different types of malware targeting the same network?

Thanatos, a new malware that popped up last month in crimeware markets around the world, can give us some interesting insights regarding these questions. Apparently, there is no honor among cyber thieves.

First and foremost, the more advanced the attacker, the more dangerous another malware operating in their target’s network. APTs rely on expensive, multi-staged tools that sometimes take years to develop; APT operators are therefore keen to discover other malware for reasons of operational security. A low-level malware operating on the same network might catch the attention of a target’s defense grid and risk the entire advanced campaign. In these cases, the APT operator must assess the risk of exposure and carefully plan his next steps. For example, they could try to compromise the other attacker’s tool and snatch the stolen data. If the other attacker has a strong foothold, the APT operator might choose an alternative endpoint, vector, or method, or even give up and move on to the next target.

But while advanced attackers can choose how to act once another malware enters the network they are already roaming, low-level attackers must simply hope that no other attackers will try to hack the same target while they operate. Or so they did, before Thanatos.

Competing malware assassination

malware hunting

Thanatos is offered as a subscription tool through crimeware undergrounds, for the price of $1,000 per month (or $12,000 for a lifetime subscription). It has many plugins that give it different abilities, the most interesting of which is the ability to scan a target network for other malware. Thanatos uses 3-8 hardcoded flags to find malware, by searching the host’s task scheduler, services, and registry. Once a suspicious signature is detected, Thanatos selectively uploads it to virustotal.com to make sure it’s malicious, and then erases it from the host. Another interesting feature is the ability to remove hooks placed by competing malware, in order to avoid data theft by other criminals.

These abilities improve the malware’s operational security, while preventing other criminals from successfully attacking the target. According to Proofpoint, who discovered this malware, Thanatos was written in C++, Masm, and Delphi; it can hack every version of Windows  (from XP onward), and can inject malicious code into IE, Edge, Chrome, and FireFox browsers.

The creators aim high

The developers of Thanatos have high hopes for their brainchild; they advertise their product as “not another Zeus look-a-like” and describe some of their plugins as faster than those of Zeus. This comparison to the Gameover Zeus campaign – which distributed ransomware and banking Trojans to millions of machines in 2014 – is quite disturbing. With its new abilities, Thanatos might be very appealing to low-level cybercriminals who are looking for revenue but don’t have the technical know-how to generate it.

The malware’s abilities show us just how red the Cybercrime waters are. Developers go to great lengths to make sure no other criminal will get a piece of the pie, and use selective malware detection to achieve this. The price tag is relatively cheap, and if adopted by cybercriminals, this could be the next Zeus.

Combating such a threat won’t be simple. It appears as if the developers plan on evolving their malware, turning it into a more flexible attack platform. But lest we forget that the security industry has also been evolving since the days of the Zeus campaign. The rise of advanced, affordable malware might push more security companies to create cyber deception solutions – products that target the attackers themselves and not just their attack tools.

Share this:


Scroll to Top