SLOTHFULMEDIA Remote Access Trojan

SLOTHFULMEDIA is a new sophisticated remote access trojan and dropper with links to a yet unknown APT group.

This trojan deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines.

It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).

The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.

Indicators of compromise

Domains

  • sdvro.net

Host indicators

Registry entries

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Name: IntranetName Value: 1
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Name: ProxyBypass    Value: 1
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Name: UNCAsIntranet Value: 1
  • HKLM\System\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations Data: \??\C:\Users\<user>\AppData\Local\Temp\wHPEO.exe
  • HKLM\System\CurrentControlSet\Services\TaskFrame    DisplayName: TaskFrame
  • HKLM\System\CurrentControlSet\Services\TaskFrame    ErrorControl: 1
  • HKLM\System\CurrentControlSet\Services\TaskFrame    ImagePath: C:\Users\<user>\AppData\Roaming\Media\mediaplayer.exe
  • HKLM\System\CurrentControlSet\Services\TaskFrame    ObjectName: LocalSystem
  • HKLM\System\CurrentControlSet\Services\TaskFrame    Start: 2
  • HKLM\System\CurrentControlSet\Services\TaskFrame    Type: 272

SHA256 hashes

  • 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
  • 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
  • 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: