Thanatos is a new trojan which was discoved on March 6, this year, by the security firm Proofpoint.
Thanatos (personification of Death in Greek mythology), also known as Alphabot, is a banking trojan which, when distributed to desired targets, it can help its authors create a global-spanning botnet through which all sorts of malware modules can be pushed to its victims.
The creators of Thanatos claim that their service is close to ZeuS, though it is better.
ZeuS is known as a now-defunct botnet which was active in 2014 and delivered mostly a banking trojan of the same name, and a few ransomware families in some rarer instances.
An ad published in an underground hacking forum says that Thanatos works on all Windows versions, XP and onward, doesn’t need admin privileges, can evade antivirus detection, is 32- and 64-bit friendly, and, just like to ZeuS, it is written in C++, Masm, and Delphi.
The main functionality of Thanatos is its FormGrabber module, which can inject data inside the processes of popular Web browsers such as Internet Explorer (7-11), Firefox (all versions), Google Chrome (30+, except version 47) and even the newer Edge browser.
Currently, Thanatos does not work with Opera and Safari, though the creators of malware say that they’re working on expanding support for these browsers as well.
Thanatos trojan comes with a malware-killing component. Along with a so-called AV-Module acting as an antivirus, scanning the infected target for other known malware, and deleting it from infected systems, a downloader module is also included for fetching and installing other software.
Last autumn, this type of behavior was seen with the Shifu banking trojan that lets the hacker maximize their earnings by not sharing infected hosts with other crooks, while not risking getting exposed due to another badly coded malware found on the same system.
In order to make sure that the malware it detects is actual malware and not a false positive, Thanatos will take a copy of the suspicious file and upload it to VirusTotal for confirmation. In fact, this is the first time when a trojan is taking such action.
All the above-mentioned is available as a malware-as-a-service offering for $1,700 per month, or at $12,000 for a lifetime license.