SLOTHFULMEDIA Remote Access Trojan
First seen in October 2020, SLOTHFULMEDIA is a sophisticated remote access trojan and dropper with links to a unknown APT group. Several attacks against targets in the Canid, the UK and the USA have been linked to it.
Summary
First seen in October 2020, SLOTHFULMEDIA is a sophisticated remote access trojan and dropper with links to a unknown APT group. Several attacks against targets in the Canid, the UK and the USA have been linked to it.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
SLOTHFULMEDIA is a newly observed remote access trojan associated with an as yet unidentified advanced persistent threat.
Delivery
At the time of publication, it is unclear how SLOTHFULMEDIA is initially delivered, although it is known that a preliminary trojan (sometimes identified as ButeRat) is used to drop before creating a new service called TaskFrame.
If successful, the dropper then collects system information, combines it with a unique identifier, and sends it to a command and control (C2) server over both HTTP and HTTPS. It then drops and installs another payload which verifies the existence of the TaskFrame service before adding another Registry key and deleting the preliminary dropper as well as the user index.dat file.
Activities
Once delivered, SLOTHFULMEDIA will attempt to delete a file called Junk9, although it is unclear for what purpose and it does not affect further functionality if it cannot. A screenshot of the desktop is then taken and stored in the local directory, before SLOTHFULMEDIA attempts to start a new instance of the TaskFrame service and injects itself into it.
By default, the TaskFrame service is able to add, modify, or delete registry keys. SLOTHFULMEDIA uses this capability to edit several keys before collecting system and user information to send back to the same C2 server, at which point it will await further commands. SLOTHFULMEDIA is able to:
- create, edit, transfer, and delete files
- open hidden terminal windows
- edit registry keys
- list, create, and terminate services or processes
- enumerate connected drives
- enumerate open network ports
- open and close TCP or UDP sessions
- take screenshots.
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Definitive source of threat updates
Last edited: 7 October 2020 3:09 pm