Named as Thanos, the company's Insikt Group said the builder could be used to generate packages with as many as 43 different configurations and was being sold on Exploit Forum, presumably situated on the dark web, by an individual who had the moniker Nosophoros.
Recorded Future said its staff had analysed Thanos and found it be simple in its overall build, written in Microsoft's C# language, and easy to understand even though it had some obfuscation and advanced features.
It said that there were several code similarities with another ransomware package known as Hakbit, leading to a conclusion that the two were the same.
|
|
"At a high level, the technique describes a process to encrypt a target file by leveraging symbolic links through an MS-DOS device name to copy an encrypted version of the file to the original file location," Recorded Future said.
"When enabled in the Thanos builder, generated clients will have an extra class and a modification of the encryption workflow to use the RIPlace technique."
Thanos clients move laterally in a network using a tool known as SharpExec, which is designed for just this purpose, adding that the clients took advantage of the Wake On LAN feature available in some hardware.
Like many other Windows ransomware packages, Thanos clients also exfiltrate victims' data with a specified set of file extensions, these being .docx, .pdf, .xlsx, and .csv; these options could be changed at build time.
"At the time of publication, Insikt Group has observed that Nosophoros has received positive endorsements from the community, with claims that the tool 'works flawlessly' and requests to 'keep the updates coming',” Recorded Future said.
"Thanos is under active development by Nosophoros. Recorded Future assesses with high likelihood that Thanos will continue to be weaponized by threat actors either individually and collectively as part of the affiliate program."
