SLOTHFULMEDIA RAT, a new weapon in the arsenal of a sophisticated threat actor

Pierluigi Paganini October 05, 2020

U.S. DoD and the DHS CISA agency published a malware analysis report for a new malware variant tracked as SLOTHFULMEDIA

The U.S. Department of Defense’s Cyber National Mission Force (CNMF) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have published a malware analysis report that provides technical details of a new dropper tracked as SLOTHFULMEDIA.

Like other MAR analysis, the report provides technical details about the threat, including indicators of compromise (IoC), suggestions for response actions, and recommendations to prevent infections.

“The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines.” reads the joint report.

“The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.”

Upon executing the SLOTHFULMEDIA malware, it drops two malicious codes, a RAT and a component that removes the dropper once the RAT achieves persistence on the infected system.

The SlothfulMedia malware has been used by a sophisticated threat actor, the RAT allows attackers to run arbitrary commands, terminate processes, take screenshots, modify the registry, and make changes to files. The RAT communicates with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).

The Government agencies recommend users and administrators to report any activities associated with the malware, giving the attacks that employ this malware the highest priority.

The malware was also shared on VirusTotal by the U.S Cyber Command and some malware researchers also shared Yara rules and IoCs for the threat

The report on SLOTHFULMEDIA doesn’t provide any information on the threat actors behind this malware, the US agencies only revealed that it was used it attacks against entities in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia, and Ukraine.

The website SecurityWeek, citing the security firm ESET, reported a possible link between the SLOTHFULMEDIA RAT and the threat actor PowerPool, a threat actor that was spotted in August 2018 while exploiting a Windows zero-day vulnerability.

At the time, the threat actor leveraged the Windows zero-day exploit in targeted attacks against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland.

According to ESET, attackers have modified the publicly available exploit source code and recompiled it.

PowerPool’s attack vector is spear-phishing messages, ESET researchers pointed out that the same group was also responsible for a spam campaign spotted by SANS in May 2018 that used Symbolic Link (.slk) files to spread malicious codes.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SLOTHFULMEDIA)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment