FortiGuard Labs Threat Research Report
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Encrypting important files on victims’ computers for ransom
Severity level: Critical
Last week, FortiGuard Labs captured a new Thanos ransomware sample. This ransomware is being popularly advertised on the underground market as a Ransomware-as-a-Service (RaaS) tool. In this blog we will present the analysis of the captured sample.
This malware was written in C# (C-Sharp). C# is a programming language developed by Microsoft that runs on the .NET Framework. Using the “Detect It Easy” tool to check the information of this PE file, we can see that no packer or obfuscator were detected, and that it was compiled using VB.NET.
Another powerful tool we use to debug and analyze .Net-related malware is dnSpy.
As shown in Figure 2, the source code has been obfuscated. I tried to deobfuscate this sample using de4dot, but the tool detected an unknown obfuscator in the sample and failed to deobfuscate it. This makes it a little bit tricky for static analysis.
Through debugging and analyzing the decompiled code in dnspy, however, we still found a number of switch flags identifying which functionality is enabled. The variable names have also been obfuscated.
For example, if the network-spreading flag is enabled, the malware will download “paexec” from the URLs in Figure 4 and save it into the folder “C:\Users\[username]\AppData\Local\Temp\”. It then uses “paexec” to install the malware on other machines.
We found that this Thanos ransomware sample also used some anti-analysis techniques. The following is the anti-debugging code found in the sample.
Another anti-analysis code is shown below.
In the above code, the program is able to detect five conditions. If one of them is true, the malware process will kill itself. These five detections are:
The malware is also able to download the tool ProcessHide from the internet. This tool is used to hide processes from any monitoring tool that uses NtQuerySystemInformation.
This malware can also set some keys related to Windows Defender in the Windows Registry, as follows. This tactic is used to bypass detection by Windows Defender.
The modified keys in Windows Registry are shown in Figure 9.
After setting its keys in the Windows Registry, it can call the following function to run PowerShell in a hidden manner, as well as disable some features of Windows Defender.
Windows Defender PowerShell cmdlets are used to manage and configure Windows Defender. The Get-MpPreference cmdlet gets preferences for the Windows Defender scans and updates. The following code is used to set a number of options for MpPreference, which intend to bypass the detection of Windows Defender.
The malware can leverage net.exe commands to stop or bypass detection by a number of popular antivirus software, in addition to defeating Windows Defender.
The list of net.exe commands that can be executed is shown below.
net.exe stop avpsus /y
net.exe stop McAfeeDLPAgentService /y
net.exe stop mfewc /y
net.exe stop BMR Boot Service /y
net.exe stop NetBackup BMR MTFTP Service /y
net.exe stop DefWatch /y
net.exe stop ccEvtMgr /y
net.exe stop ccSetMgr /y
net.exe stop SavRoam /y
net.exe stop RTVscan /y
net.exe stop QBFCService /y
net.exe stop QBIDPService /y
net.exe stop Intuit.QuickBooks.FCS /y
net.exe stop QBCFMonitorService /y
net.exe stop YooBackup /y
net.exe stop YooIT /y
net.exe stop zhudongfangyu /y
net.exe stop stc_raw_agent /y
net.exe stop VSNAPVSS /y
net.exe stop VeeamTransportSvc /y
net.exe stop VeeamDeploymentService /y
net.exe stop VeeamNFSSvc /y
net.exe stop veeam /y
net.exe stop PDVFSService /y
net.exe stop BackupExecVSSProvider /y
net.exe stop BackupExecAgentAccelerator /y
net.exe stop BackupExecAgentBrowser /y
net.exe stop BackupExecDiveciMediaService /y
net.exe stop BackupExecJobEngine /y
net.exe stop BackupExecManagementService /y
net.exe stop BackupExecRPCService /y
net.exe stop AcrSch2Svc /y
net.exe stop AcronisAgent /y
net.exe stop CASAD2DWebSvc /y
net.exe stop CAARCUpdateSvc /y
net.exe stop sophos /y
To prevent termination of the Thanos malware, the malware also performs the following service control and taskkill commands.
In addition, the malware also performs vssadmin and delete commands to delete Windows Shadow copies and backups.
Encrypted file extensions include the following.
“dat, txt, jpeg, gif, jpg, png, php, cs, cpp, rar, zip, html, htm, xlsx, xls, avi, mp4, ppt, doc, docx, sxi, sxw, odt, hwp, tar, bz2, mkv, eml, msg, ost, pst, edb, sql, accdb, mdb, dbf, odb, myd, php, java, cpp, pas, asm, key, pfx, pem, p12, csr, gpg, aes, vsd, odg, raw, nef, svg, psd, vmx, vmdk, vdi, lay6, sqlite3, sqlitedb, accdb, java, class, mpeg, djvu, tiff, backup, pdf, cert, docm, xlsm, dwg, bak, qbw, nd, tlg, lgb, pptx, mov, xdw, ods, wav, mp3, aiff, flac, m4a, csv, sql, ora, mdf, ldf, ndf, dtsx, rdl, dim, mrimg, qbb, rtf, 7z”
A screenshot of HOW_TO_DECYPHER_FILES is shown below.
The malware can also detect the operating system version. If the operating system running this malware is neither Windows 10 nor Windows 8, it sets the reboot mode to safeboot with networking. In the end, it executes the command “shutdown /r /t 0” to reboot into safeboot mode. This was interesting because not all antivirus software can run an antivirus scan in safeboot mode. The malware forces the system to run in safeboot mode to bypass the detection of antivirus software.
This new Thanos ransomware variant allows attackers to generate customized payloads with a wide variety of features and options. In addition, this malware sample uses an unknown obfuscator. It also has the powerful capability of bypassing 37 different antivirus, anti-VM, anti-debugging, and anti-sandboxing applications. And it also can reboot an infected Windows 7 system in safeboot-with-networking mode to bypass detection by antivirus software.
This malicious PE file is detected as “MSIL/Agent.THY!tr” by the FortiGuard AntiVirus service.