• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
September 4, 2020
Rewterz Threat Alert – Phishing Campaign Stealing Company Credentials
September 7, 2020

Rewterz Threat Alert – Thanos Ransomware: Destructive Variant

September 7, 2020

Severity

High

Analysis Summary

A ransomware attack on two state-run organizations in the Middle East and North Africa was detected that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim to transfer “20,000$” into a specified Bitcoin wallet to restore the files on the system. Below is the ransom note found on encrypted machines.

HOW_TO_DECRYPT_YOUR_FILES.txt - Notepad - This shows a Thanos ransomware message displayed to victims, including the following text: "Your files are Encrypted. Don't worry, you can return all your files! I don't want to loose your files too. If I want to do something bad to you I would've wipe all of your network but that's not helping me. :) so temporary all of your files is mine now until you pay the price of them. If you want to restore them contact me from the address below, I'll be happy to help you to get out of this situation. You've got 48 hours (2 Days), before you lost your files forever. I will treat you good if you treat me good too." The note closes with contact info, a Bitcoin wallet ID and a demand for "20,000$."


The threat group behind the use of these tools had previous access to these networks as they had already obtained valid credentials from the networks. The Thanos sample created for these networks executes several layers before the .NET Thanos ransomware runs on a system, specifically using code from several open source frameworks. The layers start at the top with a PowerShell script that not only loads another PowerShell script as a sub-layer, but also attempts to spread the ransomware to other systems on the network using previously stolen credentials. The ransomware was also configured to overwrite the master boot record (MBR), which is an important component loaded on a system’s hard drive that is required for the computer to locate and load the operating system. The ransomware overwrites the MBR to display the same ransom message as the previously mentioned text file. Thanos was first discovered in February 2020 when it was advertised for sale on underground forums. The Thanos ransomware has code overlaps with other ransomware variants, such as Hakbit, and has a builder that allows the user to customize the sample with a variety of available settings. This ransomware appears to be still under active development, as we observed newly added functionality in the samples built to run on the Middle Eastern and Northern African state-run organizations.

Impact

  • Files Encryption
  • MBR overwrite
  • Possible Financial Loss
  • Network-wide Infection

Indicators of Compromise

MD5

  • c9c99f0896d4ac975d245d848ffabbd5
  • 7c12a63096a6b157564dc912e62b2773
  • d6d956267a268c9dcf48445629d2803e
  • af0e33cf527b9c678a49d22801a4f5dc
  • a15352badb11dd0e072b265984878a1c
  • 7bdd4b25e222b74e8f0db54fcfc3c9eb
  • e01e11dca5e8b08fc8231b1cb6e2048c
  • be60e389a0108b2871dff12dfbb542ac
  • 03b76a5130d0df8134a6bdea7fe97bcd

SHA-256

  • 06d5967a6b90b5b5f6a24b5f1e6bfc0fc5c82e7674817644d9c3de61008236dc
  • a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8
  • c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
  • 40890a1ce7c5bf8fda7bd84b49c577e76e0431e4ce9104cc152694fc0029ccbf
  • 240e3bd7209dc5151b3ead0285e29706dff5363b527d16ebcc2548c0450db819
  • cbb95952001cdc3492ae8fd56701ceff1d1589bcfafd74be86991dc59385b82d
  • 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
  • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
  • ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75

SHA1

  • 955595c0b67c835c7fabc65dea613199e0676f19
  • bee6c97ac6337adc22887da899d8a30acb523ade
  • cc0feae505dad9c140dd21d1b40b518d8e61b3a4
  • f6a9d604cfb384f46e48e19a9b71cf5bb278e323
  • 85bac120e37f7bc24d875c8ca3b8c7f10806c523
  • 94e97a6c0d62a3b225bd03b089998a4c78c60de5
  • 4983d07f004436caa3f10b38adacbba6a4ede01a
  • 14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
  • 60053d661ed03cd2a07f6750532e6ef11abcc4e5

Source IP

  • 107[.]174[.]241[.]175

URL

  • http[:]//107[.]174[.]241[.]175[:]80/index[.]php

Remediation

  • Block the threat indicators at their respective controls. 
  • Implement a strong password policy and implement multi-factor authentication where possible. 
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.