Security researchers from SurfWatch Labs have shut down a secret plan to hack and infect hundreds or possibly thousands of forums and websites hosted on the infrastructure of Invision Power Services, who are the makers of the IP.Board forum platform, now known as the IPS Community Suite.

The plan belonged to a malware coder known as AlphaLeon, who, at the start of March this year, started selling a new trojan called Thanatos.

Advertised as a MaaS (Malware-as-a-Service) rentable platform, to be attractive to its customers, Thanatos had to run on a very large number of infected hosts. In the infosec community, this structure is called a botnet, and the bigger it is, the easier it is to carry out all sorts of cyber-attacks.

AlphaLeon breached Invision Power Services servers

In order to increase the size of the Thanatos botnet, AlphaLeon needed to find a way to deliver the trojan to as many users as possible. For this, he devised a plan and later carried it out.

His idea consisted of finding and exploiting a vulnerability in the infrastructure of Invision Power Services (IPS), who offers its IPS Community Suite as a hosted platform, running on AWS (Amazon Web Services) servers.

After establishing a foothold on IPS' servers, AlphaLeon then intended to access the websites of IPS' customers and place an exploit kit on their pages. The exploit kit would automatically infect site visitors with the Thanatos trojan by leveraging vulnerabilities in the visitors (outdated) browsers and browser plugins.

IPS customers include large companies such as Evernote, the NHL, the Warner Music Group, Bethesda Softworks, and LiveNation. Besides classic IP.Board forums, IPS also allows customers to set up fully working sites, even e-commerce stores.

AlphaLeon: And I would have gotten away with it too if it weren't for those meddling kids

His plan was stopped short when SurfWatch Labs security experts got wind of his intentions while scanning the Dark Web. Researchers contacted IPS, who was unaware of the hacker's breach, discovered the entry point, and shut down his access. This incident happened at the start of April, and IPS is still in the process of investigating the breach.

According to the most recent Thanatos ads on the Dark Web, the trojan, which at the beginning of March was only a potent banking trojan, has now received new updates in the form of add-on modules.

These modules allow customers of the Thanatos botnet to launch DDoS attacks, deliver ransomware, access a victim's webcam, steal Bitcoin, send spam, or steal login credentials for various gaming platforms.

Our initial article on Thanatos also includes screenshots of the botnet's administration panel.