Analysis of .NET Thanos Ransomware Supporting Safeboot with Networking Mode

FortiGuard Labs Threat Research Report

Affected platforms:    Microsoft Windows
Impacted parties:       Windows Users
Impact:                       Encrypting important files on victims’ computers for ransom
Severity level:             Critical

Last week, FortiGuard Labs captured a new Thanos ransomware sample. This ransomware is being popularly advertised on the underground market as a Ransomware-as-a-Service (RaaS) tool. In this blog we will present the analysis of the captured sample.

Malware PE File

This malware was written in C# (C-Sharp). C# is a programming language developed by Microsoft that runs on the .NET Framework. Using the “Detect It Easy” tool to check the information of this PE file, we can see that no packer or obfuscator were detected, and that it was compiled using VB.NET. 

Another powerful tool we use to debug and analyze .Net-related malware is dnSpy. 

As shown in Figure 2, the source code has been obfuscated. I tried to deobfuscate this sample using de4dot, but the tool detected an unknown obfuscator in the sample and failed to deobfuscate it. This makes it a little bit tricky for static analysis.

Through debugging and analyzing the decompiled code in dnspy, however, we still found a number of switch flags identifying which functionality is enabled. The variable names have also been obfuscated.

For example, if the network-spreading flag is enabled, the malware will download “paexec” from the URLs in Figure 4 and save it into the folder “C:\Users\[username]\AppData\Local\Temp\”. It then uses “paexec” to install the malware on other machines.

Anti-Analysis

We found that this Thanos ransomware sample also used some anti-analysis techniques. The following is the anti-debugging code found in the sample.

Another anti-analysis code is shown below.

In the above code, the program is able to detect five conditions. If one of them is true, the malware process will kill itself. These five detections are:

1. Checks if a virtual machine is being used, such as VMware or VirtualBox.
2. Calls the function CheckRemoteDebuggerPresent() to check if there is a debugger attached to the process. This is an anti-debugging technique.
3. Searches to see if sbiedll.dll is loaded by calling GetModuleHandleA. This is done to check if the malware is running under Sandboxie. Sandboxie is an open-source sandboxing program for Microsoft Windows. Sandboxie creates an isolated operating environment in which applications can be run or installed without permanently modifying the local system. This virtual environment allows for controlled testing of untrusted programs and web surfing.
4. Checks if the malware is running on a system with a small hard drive. Virtual machines usually use a small hard drive. This is used for anti-VM. 
5. Checks if the host machine is Windows XP.

The malware is also able to download the tool ProcessHide from the internet. This tool is used to hide processes from any monitoring tool that uses NtQuerySystemInformation.

Bypass Windows Defender

This malware can also set some keys related to Windows Defender in the Windows Registry, as follows. This tactic is used to bypass detection by Windows Defender.

The modified keys in Windows Registry are shown in Figure 9.

After setting its keys in the Windows Registry, it can call the following function to run PowerShell in a hidden manner, as well as disable some features of Windows Defender.

Windows Defender PowerShell cmdlets are used to manage and configure Windows Defender. The Get-MpPreference cmdlet gets preferences for the Windows Defender scans and updates. The following code is used to set a number of options for MpPreference, which intend to bypass the detection of Windows Defender.

Bypass AntiVirus

The malware can leverage net.exe commands to stop or bypass detection by a number of popular antivirus software, in addition to defeating Windows Defender.

The list of net.exe commands that can be executed is shown below.

net.exe stop avpsus /y

net.exe stop McAfeeDLPAgentService /y

net.exe stop mfewc /y

net.exe stop BMR Boot Service /y

net.exe stop NetBackup BMR MTFTP Service /y

net.exe stop DefWatch /y

net.exe stop ccEvtMgr /y

net.exe stop ccSetMgr /y

net.exe stop SavRoam /y

net.exe stop RTVscan /y

net.exe stop QBFCService /y

net.exe stop QBIDPService /y

net.exe stop Intuit.QuickBooks.FCS /y

net.exe stop QBCFMonitorService /y

net.exe stop YooBackup /y

net.exe stop YooIT /y

net.exe stop zhudongfangyu /y

net.exe stop stc_raw_agent /y

net.exe stop VSNAPVSS /y

net.exe stop VeeamTransportSvc /y

net.exe stop VeeamDeploymentService /y

net.exe stop VeeamNFSSvc /y

net.exe stop veeam /y

net.exe stop PDVFSService /y

net.exe stop BackupExecVSSProvider /y

net.exe stop BackupExecAgentAccelerator /y

net.exe stop BackupExecAgentBrowser /y

net.exe stop BackupExecDiveciMediaService /y

net.exe stop BackupExecJobEngine /y

net.exe stop BackupExecManagementService /y

net.exe stop BackupExecRPCService /y

net.exe stop AcrSch2Svc /y

net.exe stop AcronisAgent /y

net.exe stop CASAD2DWebSvc /y

net.exe stop CAARCUpdateSvc /y

net.exe stop sophos /y

Other Tactics for Bypassing Detection

To prevent termination of the Thanos malware, the malware also performs the following service control and taskkill commands.

In addition, the malware also performs vssadmin and delete commands to delete Windows Shadow copies and backups.

Encryption

Encrypted file extensions include the following.

“dat, txt, jpeg, gif, jpg, png, php, cs, cpp, rar, zip, html, htm, xlsx, xls, avi, mp4, ppt, doc, docx, sxi, sxw, odt, hwp, tar, bz2, mkv, eml, msg, ost, pst, edb, sql, accdb, mdb, dbf, odb, myd, php, java, cpp, pas, asm, key, pfx, pem, p12, csr, gpg, aes, vsd, odg, raw, nef, svg, psd, vmx, vmdk, vdi, lay6, sqlite3, sqlitedb, accdb, java, class, mpeg, djvu, tiff, backup, pdf, cert, docm, xlsm, dwg, bak, qbw, nd, tlg, lgb, pptx, mov, xdw, ods, wav, mp3, aiff, flac, m4a, csv, sql, ora, mdf, ldf, ndf, dtsx, rdl, dim, mrimg, qbb, rtf, 7z”

A screenshot of HOW_TO_DECYPHER_FILES is shown below.

Safeboot with Networking

The malware can also detect the operating system version. If the operating system running this malware is neither Windows 10 nor Windows 8, it sets the reboot mode to safeboot with networking. In the end, it executes the command “shutdown /r /t 0” to reboot into safeboot mode. This was interesting because not all antivirus software can run an antivirus scan in safeboot mode. The malware forces the system to run in safeboot mode to bypass the detection of antivirus software.

Conclusion

This new Thanos ransomware variant allows attackers to generate customized payloads with a wide variety of features and options. In addition, this malware sample uses an unknown obfuscator. It also has the powerful capability of bypassing 37 different antivirus, anti-VM, anti-debugging, and anti-sandboxing applications. And it also can reboot an infected Windows 7 system in safeboot-with-networking mode to bypass detection by antivirus software. 

Solution

This malicious PE file is detected as “MSIL/Agent.THY!tr” by the FortiGuard AntiVirus service.

Reference 

SHA256

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert program, Network Security Academy program, and FortiVet program.