Thanatos Trojan attacks competing malware
The underground hacking market discovers assassinating malware that mirrors ZeuS
Thanatos is the latest strain of malware that has been discovered in the underground hacking market, which sports the ability to delete competing malware from infected targets.
Thanatos, which means the personification of death in Greek mythology, was discovered on 6 March by security firm Proofpoint, and it strives to market itself as a ZeuS banking Trojan alternative, but also advertises its malware killing capabilities.
According to an ad in an underground hacking forum, Thanatos works on all Windows versions and does not require admin privileges. It is also capable of evading anti-virus detection and is 32- and 64-bit friendly, and is written in C++, Masm, and Delphi, similarly to ZeuS, which, coincidentally, had its source code leaked.
The Trojan's main functionality is its FormGrabber module, which can inject data inside the processes of popular Web browsers such as Internet Explorer (7-11), Firefox (all versions), Google Chrome (30+, except version 47) and even the newer Edge.
Its creators have revealed it is not yet compatible with Opera and Safari, but they are working on expanding support for these browsers.
Thanatos' malware-killing component enables the downloader module to fetch and install other software, along with an AV-Module that behaves as an anti-virus, scanning the infected target for other known malware and deleting it.
To ensure that the malware it detects is actual malware and not a false positive, Thanatos will store a copy of the suspicious files and upload it to VirusTotal for confirmation, this is a first for Trojans taking such action.
All of this is available as a malware-as-a-service offering for $1,700 per month, or at $12,000 for a lifetime license.