• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Multiple Security Advisories for Mozilla Firefox
July 2, 2020
Rewterz Threat Alert – Vendetta Group’s COVID-19 Phishing Emails
July 2, 2020

Rewterz Threat Alert – Thanos Ransomware Adds to Feature Set

July 2, 2020

Severity

Medium

Analysis Summary

Thanos is a RaaS (Ransomware as a Service) which provides buyers and affiliates with generated payloads that can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. To date, Thanos appears to be the only widely-recognized threat making use of RIPlace, although the feature was not always part of the Thanos toolset. 
Between February and June 2020, the following features were added to the toolset:

  • RIPlace
  • Updated FTP-based reporting
  • Built-in Rootkit feature (ransomware is not stealth and invisible to Task Manager during encryption)
  • Tool interface improvements
  • Immortal process support expansion
  • Encryption speed enhancements (advertised to fully encrypt hosts in less than 2 minutes)
  • Rootkit option expanded to support Windows 7, 8, 10 on both x86 and x64 architectures
  • LAN-wide ransom notes can now appear at Windows Login
  • Runtime dyncheck for the ransomware client
  • Support for distinguishing between upper and lower-case file extensions
  • Updated Client expiration options
  • LAN share encryption without having to map drives
  • Updated runtime compilation

IoCs have been retrieved but attack vector for this particular campaign is still unknown. 

Impact

  • Files encryption
  • Information theft
  • Detection evasion
  • Network-wide infection

Indicators of Compromise

MD5

  • a4e1caab1b9642ef645b6549ca09d303
  • a20a074f8ea7ae17809addf38dc400a0
  • 21fa6ebdd397f14bbb68a4e3d012467e
  • b8edb3062e489a16fd49868c18731a55
  • 3d4d66b50ecb9e741e416a2a20e1e5b7
  • 0f27d1180d28e1bcaf4d66f6b51c087c
  • 874b68e73c2564b25dea17145d079006
  • bd9c08451d11f7c9ccefb6dceb7e8555
  • 0dcfe58d200058289ea8c13551d13ce8
  • 3c31ed5362637ff3d5f94347396d753f
  • dabb1e7706b4b67ff8ae5a79ab263f06
  • 90e26c44e1148d5be61538932b9b14d1
  • 45476cb160a030539fea7327946e8232
  • 6ac55ad4d3952513e0ad61cffef7b440
  • d209e35f7cb4677a6072415b1266118e
  • 2a66b3b2638dfc5dfcf8aaf825993269
  • efacfe855e74d597fb7f987a01ac2120
  • 070940acdcf608923d044edc79ba4121
  • d38f63c08174dba2225a8c8293e4fd8b

SHA-256

  • 989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda
  • 8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
  • f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
  • cea80fe543aec9c6b4a4628ec147e8a41cac766c2cd52c0ca86a19f9ef348fc3
  • 7a7a5110cb9a8ee361c9c65f06293667451e5200d21db72954002e5725971950
  • 7e6db426de4677efbf2610740b737da03c68a7c6295aca1a377d1df4d35959e5
  • 09fd6a13fbe723eec2fbe043115210c1538d77627b93feeb9e600639d20bb332
  • a95f9d82097bdfa2dd47e075b75d09907d5913e5c15d05c926de0d8bbce9698f
  • 53806ba5c9b23a43ddbfa669798d46e715b55a5d88d3328c5af15ba7f26fbadd
  • 794369bc9a06041f906910309b2ce45569a03c378ff0468b6335d4f653f190ab
  • 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
  • befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
  • 855dcd368dbb01539e7efa4b3fefa9b56d197db87b1ba3ede5e1f95927ea2ca3
  • d1b634201a6158a90f718a082c0fe0ee1769ff4b613dd9756a34318fa61eea47
  • 17314793d751b66f4afc1fac1c0ab0c21f2c9f67e473e8ba235bc79d7e0ea1b0
  • edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e
  • 23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3
  • 5b5802805784b265c40c8af163b465f1430c732c60dd1fbec80da95378ae45b7
  • f7d7111653c43476039efd370fb39fcdb2c22a3f1bb89013af643b45fb3af467
  • 81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
  • 34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
  • ff1a88c2ad5df435a978c63d21a6ab0642134785284b01137e18dd235197b66d

SHA1

  • 5f44342dc0cb0c4ef3a3b3dad1e974e9c6eb9120
  • 0ecff2f818565e7eb28d3a7b7d295459a868e920
  • b4fe4ce027afeb9ca0b88b52891fb7c73d822d10
  • ae42c46c6b8a5a60c232665abd6c9bc469021512
  • da0cd782f32088c0df8cd62deda1c61b4cedd6fb
  • db49455bbc76eb00a99e803aa46d5681ac60b17b
  • c5517ca6e843efb0a4d2989e6ba16dde6cf7da65
  • f5664b367a841643728cd90d0cb61df9e58fa4d7
  • 4e04822d6b8c3087be0550dba96f0c80d84359f8
  • 6be2e40bd6901462f9d87fbee63740a3971d1a75
  • f086a802887c4b3ed9be69ffc018fb6ffb324f5e
  • a86ba83804da1f7d2675d5994c724995fef09771
  • 5b1d1de92d8b8163ac70281d6afa3113d0f86362
  • 018a392975a8731735ef709e6418e5af19db3756
  • f3264a5ecd6e1b3aef2884b1c35028eedcf442dc
  • 4c6e634075781724cba954a76d1d831d077b7257
  • caef3905436bdf99bda6a3de64b162630c527375
  • 15a00d3aba362aade900374b6d159de98e8eac62
  • 18529b6bef216231c34b2701eb3894ca2dd3a5ba
  • 31bd11c9d4dd19185a2ea42507ba8a3651198335
  • 1867a1100203ea14f9496b938c23b44a3b31ec40
  • ffcc533b3b5630f405ff9e6274fc273f1bd33594

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download file attachments from untrusted email addresses.
  • Keep all systems and software updated to latest patched versions.
  • Maintain offline backups for all valuable data.
  • Segregate OT and IT networks where possible.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.