- Apr 5, 2014
- 6,008
Thanatos is the name of a new trojan discovered on the underground hacking market that strives to market itself as a ZeuS (banking trojan) alternative but also advertises its "malware killing" capabilities.
Discovered on March 6 by security firm Proofpoint, Thanatos (personification of Death in Greek mythology), also known as Alphabot, is a trojan that, when distributed to desired targets, can help its authors create a global-spanning botnet through which all sorts of malware modules can be pushed to its victims.
Thanatos' creators say their service is similar to ZeuS, but better. ZeuS is a now-defunct botnet that was active in 2014 and delivered mostly a banking trojan of the same name, and a few ransomware families in some rarer instances.
Thanatos is on sale on the Dark Web
According to an ad in an underground hacking forum, Thanatos works on all Windows versions, XP and onward, doesn't need admin privileges, can evade antivirus detection, is 32- and 64-bit friendly, and is written in C++, Masm, and Delphi, similarly to ZeuS (which, coincidentally, had its source code leaked).
The trojan's main functionality is its FormGrabber module, which can inject data inside the processes of popular Web browsers such as Internet Explorer (7-11), Firefox (all versions), Google Chrome (30+, except version 47) and even the newer Edge.
Thanatos doesn't yet work with Opera and Safari, but the malware's creators say they're currently working on expanding support for these browsers as well.
Thanatos comes with a malware-killing component
A downloader module is also included for fetching and installing other software, along with a so-called AV-Module that acts as an antivirus, scanning the infected target for other known malware, and deleting it from infected systems.
This type of behavior was seen before last autumn with the Shifu banking trojan and allows the attacker to maximize their earnings by not sharing infected hosts with other crooks, while also not risking getting exposed due to another badly coded malware found on the same system.
To be sure that the malware it detects is actual malware and not a false positive, Thanatos will even take a copy of the suspicious file and upload it to VirusTotal for confirmation, which is the first time a trojan was seen taking such action.
Discovered on March 6 by security firm Proofpoint, Thanatos (personification of Death in Greek mythology), also known as Alphabot, is a trojan that, when distributed to desired targets, can help its authors create a global-spanning botnet through which all sorts of malware modules can be pushed to its victims.
Thanatos' creators say their service is similar to ZeuS, but better. ZeuS is a now-defunct botnet that was active in 2014 and delivered mostly a banking trojan of the same name, and a few ransomware families in some rarer instances.
Thanatos is on sale on the Dark Web
According to an ad in an underground hacking forum, Thanatos works on all Windows versions, XP and onward, doesn't need admin privileges, can evade antivirus detection, is 32- and 64-bit friendly, and is written in C++, Masm, and Delphi, similarly to ZeuS (which, coincidentally, had its source code leaked).
The trojan's main functionality is its FormGrabber module, which can inject data inside the processes of popular Web browsers such as Internet Explorer (7-11), Firefox (all versions), Google Chrome (30+, except version 47) and even the newer Edge.
Thanatos doesn't yet work with Opera and Safari, but the malware's creators say they're currently working on expanding support for these browsers as well.
Thanatos comes with a malware-killing component
A downloader module is also included for fetching and installing other software, along with a so-called AV-Module that acts as an antivirus, scanning the infected target for other known malware, and deleting it from infected systems.
This type of behavior was seen before last autumn with the Shifu banking trojan and allows the attacker to maximize their earnings by not sharing infected hosts with other crooks, while also not risking getting exposed due to another badly coded malware found on the same system.
To be sure that the malware it detects is actual malware and not a false positive, Thanatos will even take a copy of the suspicious file and upload it to VirusTotal for confirmation, which is the first time a trojan was seen taking such action.