Security experts warned of a new malware variant dubbed SlothfulMedia has been used by a “sophisticated cyber actor.”
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) issued a malware report on SlothfulMedia.
CISA and CNMF issued an executive summary of the malware threat:
“The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).”
CISA and CNMF
Also, the report added that a second file has a random five-character name and also deletes the dropper once the RAT has persistence.
The malware then achieves persistence via the creation of a “Task Frame” service used to delete, add or modify registry keys, as well as start and stop a keylogger program on a victim’s computer.
The program will also collect system information and send to the attacker’s command and control (C2).