Rise of the malware-hunting malware

Imagine this scenario: A malware operator breaks into a network and finds another malware there already at work. What happens next? Do they collaborate or attack each other?

What we’re seeing is that the more advanced the attacker, the more dangerous it is to another malware operating in its target network. Advanced persistent threats (APTs) rely on expensive, multi-staged tools that sometimes take years to develop, so, for their own operational security, APT operators need to be able to discover other malware on their target. A low-level malware operating on the same network might catch the attention of a target’s defense grid and risk the entire advanced campaign. So the APT operator must assess the risk of exposure and carefully plan their next steps. For example, they could try to compromise the other attacker’s tool and snatch the stolen data. If the other attacker has a strong foothold, the APT operator might choose an alternative endpoint, vector, or method, or even give up and move on to a new target.

But while advanced attackers can choose how to act once another malware enters the network they are already roaming, low-level attackers must simply hope that no other attackers will try to hack the same target while they operate. At least, that’s what they did before Thanatos arrived.

Competing malware assassination

Thanatos is a new malware that popped up last month in crimeware markets around the world. Thanatos is offered through crimeware undergrounds as a subscription tool for the price of $1,000 per month (or $12,000 for a lifetime subscription). It has many plugins that give it different abilities, the most interesting of which is the ability to scan a target network for other malware. Thanatos uses 3-8 hardcoded flags to find malware by searching the host’s task scheduler, services, and registry. Once a suspicious signature is detected, Thanatos selectively uploads it to virustotal.com to make sure it’s malicious and then erases it from the host. Another interesting feature is its ability to remove hooks placed by competing malware, in order to avoid data theft by other criminals.

These abilities improve the malware’s operational security, while preventing other criminals from successfully attacking the target. According to Proofpoint, which discovered this tool, Thanatos was written in C++, Masm, and Delphi; it can hack every version of Windows (from XP onward) and can inject malicious code into IE, Edge, Chrome, and Firefox browsers.

The creators aim high

The developers of Thanatos have high hopes for their brainchild; they advertise their product as “not another Zeus look-a-like” and describe some of their plugins as faster than those of Zeus. This comparison to the Gameover Zeus campaign – which distributed ransomware and banking Trojans to millions of machines in 2014 – is quite disturbing. With its new abilities, Thanatos might be very appealing to low-level cybercriminals who are looking for revenue but don’t have the technical know-how to generate it.

The malware’s abilities show us just how red the cybercrime waters are. Developers go to great lengths to make sure no other criminal will get a piece of the pie and use selective malware detection to achieve this. The price tag is relatively cheap, and if adopted by cybercriminals, this could be the next Zeus.

Combating such a threat won’t be simple. It appears as if the developers plan to evolve their malware, turning it into a more flexible attack platform.

Nitsan Saddan is head of threat intelligence research at Cymmetria.