S0533 SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified “sophisticated cyber actor” since at least January 2017.12 It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.34
In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as “IAmTheKing”.4 ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as “PowerPool”.5
| Item | Value |
|---|---|
| ID | S0533 |
| Associated Names | JackOfHearts, QueenOfClubs |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 November 2020 |
| Last Modified | 13 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| JackOfHearts | Kaspersky Labs refers to the “mediaplayer.exe” dropper within SLOTHFULMEDIA as the JackOfHearts.4 |
| QueenOfClubs | Kaspersky Labs assesses SLOTHFULMEDIA is an older variant of a malware family it refers to as the QueenOfClubs.4 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | SLOTHFULMEDIA can open a command line to execute commands.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | SLOTHFULMEDIA has created a service on victim machines named “TaskFrame” to establish persistence.1 |
| enterprise | T1005 | Data from Local System | SLOTHFULMEDIA has uploaded files and information from victim machines.1 |
| enterprise | T1001 | Data Obfuscation | SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.1 |
| enterprise | T1083 | File and Directory Discovery | SLOTHFULMEDIA can enumerate files and directories.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | SLOTHFULMEDIA has been created with a hidden attribute to insure it’s not visible to the victim.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | SLOTHFULMEDIA has deleted itself and the ‘index.dat’ file on a compromised machine to remove recent Internet history from the system.1 |
| enterprise | T1105 | Ingress Tool Transfer | SLOTHFULMEDIA has downloaded files onto a victim machine.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | SLOTHFULMEDIA has a keylogging capability.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | SLOTHFULMEDIA has named a service it establishes on victim machines as “TaskFrame” to hide its malicious purpose.1 |
| enterprise | T1036.005 | Match Legitimate Name or Location | SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.1 |
| enterprise | T1112 | Modify Registry | SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry.1 |
| enterprise | T1057 | Process Discovery | SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.1 |
| enterprise | T1055 | Process Injection | SLOTHFULMEDIA can inject into running processes on a compromised host.1 |
| enterprise | T1113 | Screen Capture | SLOTHFULMEDIA has taken a screenshot of a victim’s desktop, named it “Filter3.jpg”, and stored it in the local directory.1 |
| enterprise | T1489 | Service Stop | SLOTHFULMEDIA has the capability to stop processes and services.1 |
| enterprise | T1082 | System Information Discovery | SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.1 |
| enterprise | T1049 | System Network Connections Discovery | SLOTHFULMEDIA can enumerate open ports on a victim machine.1 |
| enterprise | T1033 | System Owner/User Discovery | SLOTHFULMEDIA has collected the username from a victim machine.1 |
| enterprise | T1007 | System Service Discovery | SLOTHFULMEDIA has the capability to enumerate services.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | SLOTHFULMEDIA has the capability to start services.1 |
References
-
DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved November 16, 2020. ↩
-
USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved November 16, 2020. ↩
-
Ivan Kwiatkowski, Pierre Delcher, Felix Aime. (2020, October 15). IAmTheKing and the SlothfulMedia malware family. Retrieved October 15, 2020. ↩↩↩↩
-
ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved November 17, 2020. ↩