The DOD and DHS have released a joint security advisory regarding a new malware dubbed “SlothfulMedia”, which is beeing used in ongoing attacks.
SlothfulMedia is an information-stealer capable of logging keystrokes of victims and modifying files, which “has been used by a sophisticated cyber actor.” The two agencies did not reveal the name of the threat actor in question.
The report also does not mention the scope of the attacks, or targeted countries, but, the malicious campaign has been aimed at targets in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine.
The SlothfulMedia malware deploys two files when executed. The first file is a remote access tool (RAT) named mediaplayer.exe, which is designed for command and control (C2) of victim computer systems. The RAT is able to to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It communicates with its command and control server using Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).
The second file deletes the dropper after the RAT gains persistence on the victim system using the “Task Frame” service, which ensures that the RAT is loaded after reboot.
They uploaded the malware sample to the malware-sharing repository on VirusTotal.