Thanos Operator Targets Police Department in United Arab Emirates

By

Overview

The SonicWall Capture Labs threat research team has come across a variant of Thanos ransomware targeted at a police department in the United Arab Emirates (UAE).  Thanos ransomware is a customizable and highly adaptable ransomware-as-a-service (RaaS) tool that allows cybercriminals to create and deploy ransomware tailored to their needs. It is known for its data-stealing capabilities, the ability to spread through networks and the use of advanced evasion techniques to avoid detection.

Infection Cycle

Upon infection, the following notification appears on the desktop.

Figure 1: Notification

Files on the system are encrypted.  Each encrypted file has the text “.crypted” appended to its name

A ransom note asking for $20,000 in Bitcoin is displayed on the desktop:

Figure 2: Ransom message

A file named HOW_TO_DECYPHER_FILES.txt is dropped into all directories containing encrypted files.  It contains the following message:

Figure 3: Ransom message text file

If the system is rebooted, the following message is displayed during the login process:

Figure 4: Ransom message after reboot

The malware is written in .NET and is obfuscated.  However, after disassembly, this obfuscation is easily thwarted as it only uses base64 to encode all of its strings.  Using the following simple script, we were able to decode all base64 encoded strings and reveal the malware’s functionality:

Figure 5: Simple deobfuscation script

Figure 6: Deobfuscated code

The Thanos signature can be seen in the deobfuscated code:

Figure 7: Thanos marker

The “.crypted” file extension and a list of filetypes targeted for encryption is visible:

Figure 8: Targeted file types

The Windows Task Manager and various other backup and recovery services are disabled:

Figure 9: Disabling task manager

Figure 10: Disabling system recovery

The following base64 encoded text decodes to https://www.poweradmin.com/paexec/paexec.exe.  Power Admin is downloaded and executed on the system for remote administration:

Figure 11: Power Admin download

ProcessHide is also downloaded and is used to hide Power Admin from process monitoring applications such as Windows Task Manager:

Figure 12: ProcessHide download

The malware scans the internal network for online machines.  The username and password that was used leads us to believe that this variant of the malware is targeted toward the Sharjah Police Force in the UAE:

Figure 13: Network scanning

If those credentials do not work, there is a bigger list of usernames and passwords to try:

Figure 14: Additional credentials to try

We tried to reach out to the operator via email, but the email bounced.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Thanos.RSM_2(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.