Thanos ransomware encrypts files and installs PowerAdmin for backdoor access

The Sonicwall Capture Labs threat research team has recently been tracking a new variant of Thanos ransomware. It is named after the Marvel supervillian and according to the FBI, is created by Moises Luis Zagala Gonzalez, a Venezualan-French cardiologist. Thanos is Ransomware as a Service (RaaS) and has been sold in the underground market place since around Feb 2020. It contains a suite of functionality that includes network spreading, anti-analysis and additional tool download.

Infection Cycle:

Upon infection, the malware encrypts files and drops the following text file on to the desktop:


Each encrypted file is given a .locked file extension. HOW_TO_DECYPHER_FILES.txt is dropped into all directories containing encrypted files.

The malware is written in C# and is trivial to decompile. We can easily see all of its functions:

The malware contains many components to enable it to spread more effectively and hinder analysis. The anti-analysis component contains a list of programs to kill:

The list is base64 encoded. Decoding it reveals the following program names:

AppFilter http analyzer stand-alone fiddler effetech http sniffer firesheep IEWatch Professional dumpcap wireshark wireshark portable sysinternals tcpview NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter Intercepter-NG ollydbg x64dbg x32dbg dnspy dnspy-x86 de4dot ilspy dotpeek dotpeek64 ida64 procexp procexp64 RDG Packer Detector CFF Explorer PEiD protection_id LordPE pe-sieve MegaDumper UnConfuserEx Universal_Fixer NoFuserEx NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter

The SniffersKiller function is used to kill all programs in the list if they are running:

The Anti_Analysis class contains basic debugger and sandbox detection:

The network component contains a wake-on-lan function. If the infected machines IP address indicates that it is within a LAN, the malware issues a wake-on-lan signal to bring any sleeping machines back online for potential infection:

Once these machines have woken up, the malware checks if they are online by checking replies to pings:

For each ping response, the malware attempts to log in to each machine. It contains a short basic list of usernames and passwords which it will try:

It contains a DownloadTool function to download additional components.

The base64 string in this function decodes to:

https://www.poweradmin.com/paexec/paexec.exe

PowerAdmin is an open source remote system administration tool similar to PAExec. In this case, it is used as a backdoor to remotely control the infected machine.

We reached out to the email address in the ransom note for details on file retrieval but received no response.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Thanos.RSM_1 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.