Joint Malware Analysis Report on "SlothfulMedia" RAT

Description

The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF) have released a joint malware analysis report (MAR) on a malware variant named SlothfulMedia. Files and Indicators of Compromise (IOCs) were provided to Fortinet in advance due to our membership in the Cyber Threat Alliance (CTA) to ensure that our customers were offered immediate protection by the time of the announcement.

The report includes three files. The first one is a dropper that, when executed, will install two additional files onto a victim machine. The second file is a remote access trojan (RAT) that enables full control of a victim machine by a remote attacker. Finally, the third file will perform some cleanup and covering of tracks by deleting the dropper after the RAT successfully sets persistence on the victim machine.


What are the technical details?

Dropper - The dropper when run, will drop two files; a RAT (mediaplayer.exe) and a cleanup tool. The dropper is a Windows 32-bit file that is created with a hidden attribute to evade detection. It will then create a service on the system to set persistence which will ultimately run the RAT (mediaplayer.exe) each time the machine is started. Various pre-defined parameters are then collected and are exfiltrated to a predefined command and control server controlled by the attacker over HTTP and HTTPS.

RAT - The remote access trojan named "mediaplayer.exe" is dropped and executed by the dropper file. This file exhibits traditional RAT like functionality and can specifically:

1. Create, Write, and Delete files

2. Open Command Prompt to Run Arbitrary Commands

3. Move Files

4. Open Ports Enumeration

5. Drive Enumeration

6. Enumerate Processes by ID, Name, or Privileges

7. Kill and Start Processes

8. Files and Directories Enumeration

9. Open a Named Pipe and Send and Receive Data

10. Screen Capture

11. Process Injection

12. Enumerate Services

13. Start/Stop Services

14. Modify the Registry

15. Open/Close TCP and UDP Sessions

Artifact - Lastly, the third file is an artifact file that has anti analysis/forensic capabilities by looking for a specific running service on the victim machine and will set a registry key. This ensures that the specific file is deleted during the next reboot. It also will delete a user's recent internet history, for further cleanup.


Is there any attribution provided within the MAR?

No attribution to a specific nation state or threat actor was provided in this report.


What is the status of AV and IPS coverage?

Customers running the latest definition sets are protected by the following AV signatures:

W32/SlothFulMedia.2E0F!tr

W32/SlothFulMedia.9C85!tr

W32/SlothFulMedia.4EE8!tr

IPS coverage is not applicable at this time. All network IOC's mentioned in this report have been blocked by the Web Filtering Client.