SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.[1][2] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[3][4]
In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".[4] ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".[5]
Associated Software Descriptions
| Name | Description |
|---|---|
| JackOfHearts |
Kaspersky Labs refers to the "mediaplayer.exe" dropper within SLOTHFULMEDIA as the JackOfHearts.[4] |
| QueenOfClubs |
Kaspersky Labs assesses SLOTHFULMEDIA is an older variant of a malware family it refers to as the QueenOfClubs.[4] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
SLOTHFULMEDIA has uploaded files and information from victim machines.[1] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
SLOTHFULMEDIA has named a service it establishes on victim machines as "TaskFrame" to hide its malicious purpose.[1] |
| .005 | 伪装: Match Legitimate Name or Location |
SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.[1] |
||
| Enterprise | T1112 | 修改注册表 |
SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
SLOTHFULMEDIA has created a service on victim machines named "TaskFrame" to establish persistence.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
SLOTHFULMEDIA can open a command line to execute commands.[1] |
| Enterprise | T1113 | 屏幕捕获 |
SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.[1] |
| Enterprise | T1001 | 数据混淆 |
SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
SLOTHFULMEDIA can enumerate files and directories.[1] |
|
| Enterprise | T1489 | 服务停止 |
SLOTHFULMEDIA has the capability to stop processes and services.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.[1] |
| Enterprise | T1082 | 系统信息发现 |
SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
SLOTHFULMEDIA has collected the username from a victim machine.[1] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
SLOTHFULMEDIA has the capability to start services.[1] |
| Enterprise | T1007 | 系统服务发现 |
SLOTHFULMEDIA has the capability to enumerate services.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
SLOTHFULMEDIA can enumerate open ports on a victim machine.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
SLOTHFULMEDIA has downloaded files onto a victim machine.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
SLOTHFULMEDIA has a keylogging capability.[1] |
| Enterprise | T1057 | 进程发现 |
SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.[1] |
|
| Enterprise | T1055 | 进程注入 |
SLOTHFULMEDIA can inject into running processes on a compromised host.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.[1] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim.[1] |
References
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved September 12, 2024.
- USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved September 12, 2024.