• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Metamorfo Campaign Targeting Banking Customers
June 10, 2020
Rewterz Threat Advisory -Intel CPUs Vulnerable to New ‘SGAxe’ and ‘CrossTalk’ Side-Channel Attacks
June 11, 2020

Rewterz Threat Alert – Thanos Ransomware Auto-spreading to Windows Devices, Evading Security

June 11, 2020

Severity

High

Analysis Summary

The Thanos ransomware is the first to use a researcher-disclosed RIPlace anti-ransomware evasion technique as well as numerous other advanced features that make it a serious threat to keep an eye on. This ransomware is named Thanos and is being promoted as a Ransomware-as-a-Service on Russian-speaking hacker forums since February.

hacker-forum.jpg

Thanos is enlisting hackers and malware distributors to distribute the ransomware. For doing so, they will receive a revenue share, which is typically around 60-70%, of any ransom payments.

While most ransomware written in C# does not have a high level of sophistication, Thanos has numerous advanced features that make it stand out from the rest. When ransomware renames a file to a symlink created using the DefineDosDevice() function, anti-ransomware software would not accurately detect the operation. Instead, their monitoring functions would receive an error, while the rename would still work, and thus bypass the anti-ransomware program. Thanos is the first ransomware to adopt the RIPlace technique. It also shows connections to Hakbit.

In addition to the built-in file theft, Thanos also includes a feature that will attempt to spread the ransomware laterally to other devices on the network. When executed, Thanos will download the SharpExec offensive security toolkit from its GitHub repository. The ransomware will use SharpExec’s bundled PSExec program to copy and run the ransomware executable on other computers. Below is the ransom note.  

 

Thanos ransom note

Impact

  • Files encryption
  • Security Bypass
  • Detection Evasion
  • Network-wide infection

Indicators of Compromise

SHA-256

  • 7a7a5110cb9a8ee361c9c65f06293667451e5200d21db72954002e5725971950
  • 5b5802805784b265c40c8af163b465f1430c732c60dd1fbec80da95378ae45b7
  • 7e6db426de4677efbf2610740b737da03c68a7c6295aca1a377d1df4d35959e5
  • d1b634201a6158a90f718a082c0fe0ee1769ff4b613dd9756a34318fa61eea47
  • e63aeb1aa61c38a5bed126b41ca587a892de0311730b892aee77541a761e1a02
  • 940df3b1cf603388cf9739cc208c1a88adfe39d2afe51e24a51878adca2be4e3
  • a1bab429b3b18fdb8e4fec493bd53e89c0f87147d902ff41a0f6dcd61c159553
  • e67fa8978e6c22f4d54604a54c3ac54e631128eed819d37355c2ad80e74507a5
  • b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
  • 989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda
  • db3ef67666e18047aa24a90bfa32ca456641209147703853413d56eb74d44673
  • 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
  • 049425dac929baf288c44c981ef63417d097fb95f5199c9f33e5ef5e2ec20590
  • f1388fbe51253d8f07a98eabfe0422e39821d936166cc85c92a0418854ae15fb
  • cea80fe543aec9c6b4a4628ec147e8a41cac766c2cd52c0ca86a19f9ef348fc3
  • 8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
  • aae00e2532ae5093e8c0a623bffcc4c447d04e89237438c52cb473854c715724
  • fd8c3259b8e80b8220c6053aa9b045676d1e3fe09356ed94b5e47fb5b895ff92
  • 23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3
  • e256a9f20479f29e229f594ef6ab91be75bff9e3f0784030ac0feb8868f4abc1
  • 7a38f70d923669a989ea52fa1c356c5ac7ccce4067a37782973466102e3d27f6
  • 53806ba5c9b23a43ddbfa669798d46e715b55a5d88d3328c5af15ba7f26fbadd
  • 871eef727aaad88b734bb372f19e72ccf38034195666c35390f5c3064f5469a3
  • edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e
  • 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6
  • c8f18fb0baf81b31daa929499b2dcaa7f297bd05ec1ecff319ae5e8b34dade00
  • ff1a88c2ad5df435a978c63d21a6ab0642134785284b01137e18dd235197b66d
  • 3ccf57e60cdf89d04f2c7e744d73e3b40a4308a2ba87d0423c96f601d737733f
  • f7d7111653c43476039efd370fb39fcdb2c22a3f1bb89013af643b45fb3af467
  • 8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
  • 917905ba95c10847e0bf3bc66332ae05616a0ddd965a00ae8ec3431ed11c39d2
  • 5849966984f270b200fd80e086d2565a5a7d4ee0743677640f45b97b46e49082
  • 3f83fd42af95185e19e537708dccdf1539dcab1ce73783c2741b4c1929dcc020
  • 794369bc9a06041f906910309b2ce45569a03c378ff0468b6335d4f653f190ab
  • 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2
  • f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
  • 871eef727aaad88b734bb372f19e72ccf38034195666c35390f5c3064f5469a3
  • a95f9d82097bdfa2dd47e075b75d09907d5913e5c15d05c926de0d8bbce9698f
  • 81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
  • 916aeaa51050f25dbbcefc1be1820457e1d9d755a44d2d0cf62155f75c54127c
  • 17314793d751b66f4afc1fac1c0ab0c21f2c9f67e473e8ba235bc79d7e0ea1b0
  • 34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
  • 855dcd368dbb01539e7efa4b3fefa9b56d197db87b1ba3ede5e1f95927ea2ca3
  • 09fd6a13fbe723eec2fbe043115210c1538d77627b93feeb9e600639d20bb332
  • befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files from untrusted emails or random sources on the internet.
  • Keep all systems and software updated to latest versions.
  • Maintain offline backups for all data.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.