Threat Signal Report

Joint Malware Analysis Report on "SlothfulMedia" RAT

Description

The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF) have released a joint malware analysis report (MAR) on a malware variant named SlothfulMedia. Files and Indicators of Compromise (IOCs) were provided to Fortinet in advance due to our membership in the Cyber Threat Alliance (CTA) to ensure that our customers were offered immediate protection by the time of the announcement.

The report includes three files. The first one is a dropper that, when executed, will install two additional files onto a victim machine. The second file is a remote access trojan (RAT) that enables full control of a victim machine by a remote attacker. Finally, the third file will perform some cleanup and covering of tracks by deleting the dropper after the RAT successfully sets persistence on the victim machine.


What are the technical details?

Dropper - The dropper when run, will drop two files; a RAT (mediaplayer.exe) and a cleanup tool. The dropper is a Windows 32-bit file that is created with a hidden attribute to evade detection. It will then create a service on the system to set persistence which will ultimately run the RAT (mediaplayer.exe) each time the machine is started. Various pre-defined parameters are then collected and are exfiltrated to a predefined command and control server controlled by the attacker over HTTP and HTTPS.

RAT - The remote access trojan named "mediaplayer.exe" is dropped and executed by the dropper file. This file exhibits traditional RAT like functionality and can specifically:

1. Create, Write, and Delete files

2. Open Command Prompt to Run Arbitrary Commands

3. Move Files

4. Open Ports Enumeration

5. Drive Enumeration

6. Enumerate Processes by ID, Name, or Privileges

7. Kill and Start Processes

8. Files and Directories Enumeration

9. Open a Named Pipe and Send and Receive Data

10. Screen Capture

11. Process Injection

12. Enumerate Services

13. Start/Stop Services

14. Modify the Registry

15. Open/Close TCP and UDP Sessions

Artifact - Lastly, the third file is an artifact file that has anti analysis/forensic capabilities by looking for a specific running service on the victim machine and will set a registry key. This ensures that the specific file is deleted during the next reboot. It also will delete a user's recent internet history, for further cleanup.


Is there any attribution provided within the MAR?

No attribution to a specific nation state or threat actor was provided in this report.


What is the status of AV and IPS coverage?

Customers running the latest definition sets are protected by the following AV signatures:

W32/SlothFulMedia.2E0F!tr

W32/SlothFulMedia.9C85!tr

W32/SlothFulMedia.4EE8!tr

IPS coverage is not applicable at this time. All network IOC's mentioned in this report have been blocked by the Web Filtering Client.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.