SLOTHFULMEDIA
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| JackOfHearts | Kaspersky Labs refers to the "mediaplayer.exe" dropper within SLOTHFULMEDIA as the JackOfHearts.(Citation: Kaspersky IAmTheKing October 2020) |
| QueenOfClubs | Kaspersky Labs assesses SLOTHFULMEDIA is an older variant of a malware family it refers to as the QueenOfClubs.(Citation: Kaspersky IAmTheKing October 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
SLOTHFULMEDIA can open a command line to execute commands.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
SLOTHFULMEDIA has created a service on victim machines named "TaskFrame" to establish persistence.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
SLOTHFULMEDIA has a keylogging capability.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
SLOTHFULMEDIA has named a service it establishes on victim machines as "TaskFrame" to hide its malicious purpose.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| .005 | Masquerading: Match Legitimate Name or Location |
SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
||
| Enterprise | T1569 | .002 | System Services: Service Execution |
SLOTHFULMEDIA has the capability to start services.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
References
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved November 16, 2020.
- USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved November 16, 2020.
- Ivan Kwiatkowski, Pierre Delcher, Felix Aime. (2020, October 15). IAmTheKing and the SlothfulMedia malware family. Retrieved October 15, 2020.
- ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved November 17, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.