SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.[1][2] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[3][4]
In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".[4] ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".[5]
Associated Software Descriptions
| Name | Description |
|---|---|
| JackOfHearts |
Kaspersky Labs refers to the "mediaplayer.exe" dropper within SLOTHFULMEDIA as the JackOfHearts.[4] |
| QueenOfClubs |
Kaspersky Labs assesses SLOTHFULMEDIA is an older variant of a malware family it refers to as the QueenOfClubs.[4] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
SLOTHFULMEDIA can open a command line to execute commands.[1] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
SLOTHFULMEDIA has created a service on victim machines named "TaskFrame" to establish persistence.[1] |
| Enterprise | T1005 | Data from Local System |
SLOTHFULMEDIA has uploaded files and information from victim machines.[1] |
|
| Enterprise | T1001 | Data Obfuscation |
SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests.[1] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
SLOTHFULMEDIA can enumerate files and directories.[1] |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim.[1] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
SLOTHFULMEDIA has downloaded files onto a victim machine.[1] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
SLOTHFULMEDIA has a keylogging capability.[1] |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
SLOTHFULMEDIA has named a service it establishes on victim machines as "TaskFrame" to hide its malicious purpose.[1] |
| .005 | Masquerading: Match Legitimate Name or Location |
SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.[1] |
||
| Enterprise | T1112 | Modify Registry |
SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the |
|
| Enterprise | T1057 | Process Discovery |
SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.[1] |
|
| Enterprise | T1055 | Process Injection |
SLOTHFULMEDIA can inject into running processes on a compromised host.[1] |
|
| Enterprise | T1113 | Screen Capture |
SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory.[1] |
|
| Enterprise | T1489 | Service Stop |
SLOTHFULMEDIA has the capability to stop processes and services.[1] |
|
| Enterprise | T1082 | System Information Discovery |
SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.[1] |
|
| Enterprise | T1049 | System Network Connections Discovery |
SLOTHFULMEDIA can enumerate open ports on a victim machine.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
SLOTHFULMEDIA has collected the username from a victim machine.[1] |
|
| Enterprise | T1007 | System Service Discovery |
SLOTHFULMEDIA has the capability to enumerate services.[1] |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
SLOTHFULMEDIA has the capability to start services.[1] |
References
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved November 16, 2020.
- USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved November 16, 2020.