SLOTHFULMEDIA

SlothfulMedia is a malware dropper that was the subject of a report issued by The Department of Homeland Security (DHS) by combining findings from the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware threat is designed to drop two additional files on the compromised system - a Remote Access Trojan (RAT), while the other file is responsible for deleting the RAT after persistence is achieved.

The main dropper file is tasked with downloading the RAT payload as a file named 'mediaplayer.exe' and placing it in the '%AppData%\Media\' folder. A 'media.lnk' file is also dropped in the same path. It then proceeds to download a file in the '%TEMP%' folder, give it a five-character random name, and append it with the .'exe' extension. To ensure that the user has a harder time noticing this file, it is created with a 'hidden' attribute. The dropper file also is responsible for creating the persistence mechanism for the RAT. It achieves this by creating a 'TaskFrame' process that will execute the RAT on each system start. Communication with the Command-and-Control (C2, C&C) infrastructure is achieved through HTTP and HTTPS requests to the 'www[.]sdvro.net' domain.

The RAT payload itself is capable of taking complete control over the compromised computer. It starts its data-gathering activity by taking a screenshot of the desktop, naming it 'Filter3.jpg,' and placing it inside the local directory. It then collects various system data such as computer and user name, OS version, memory usage and connected logical drives. The information is morphed into a string, then hashed, and sent as part of the initial communication with the C2 server. If everything is running smoothly, the RAT will then wait for a specific command to carry out on the infected machine. It can manipulate files, execute and stop processes, enumerate open ports, drives, files, directories, and services, take screenshots; modifying the Registry, among other threatening activities.

The file with the random name delivered by the dropper is responsible for clearing out some of the tell-tale signs of the RAT's activity. It modifies the Registry to ensure that the malware's main executable is deleted on the next restart of the system. The Registry key it uses is:

'HKLM\System\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations

Data: \??\C:\Users\<user>\AppData\Local\Temp\wHPEO.exe.'

The user's Internet history also will be wiped by deleting the 'index.dat' file.