Description
NotificationThis report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp. SummaryDescriptionThis Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as SlothfulMedia, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques. The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP). The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot. Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov. For a downloadable copy of IOCs, see MAR-10303705-1.v1.stix. Submitted Files (1)64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273 (448838B2A60484EE78C2198F2C0C9C…) Additional Files (2)4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa (wHPEO.exe) 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae (mediaplayer.exe) Domains (1)sdvro.net Findings64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273Tagsbotdropperinformation-stealerkeyloggerremote-access-trojantrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis file is a 32-bit Windows executable. When executed, it will drop a file called ‘mediaplayer.exe’ (927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) into the path %AppData%Media. A link file called ‘media.lnk’ is also placed in this path. A third file is placed in the path %TEMP% and is given a five character random name with an ‘.exe’ extension, e.g. ‘wHPEO.exe’ (4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa). This file is created with a ‘hidden’ attribute to insure that it is not visible to the user. Next, the program will create a service on the system called “TaskFrame” with the following parameters: — Begin Service Parameters — This service is used to create persistence on the system and is designed to start the ‘mediaplayer.exe’ (927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) program each time the system is started. Next, the program will collect system information to send to the command and control (C2). A unique identifier is created and sent in a POST request along with a Unix timestamp of the time of infection to the domain www[.]sdvro.net. Connection attempts are made via both HTTP and HTTPS. The following is a sample of the POST request: — Begin POST Request — ..D……!F.1y^.4.&….{ ..f]..Fz…;..H.L`p..$.H..0A.A(An_8…;..$yH.t..4H…3..K.QvRkX.c..|r r=..V.F…..Hc.H……H.<..tfH….@..uU.@…..uL..D.=o..l!’..D$hH.&.H.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t..gH…3..f..K..-. The domain did not resolve to an IP address at the time of analysis. Note: The malware uses the fixed User-Agent string, “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75” in its communication. The following notable strings were found in unreferenced data within the file. The purpose of the strings could not be determined. The strings are not used by the code. — Begin Notable Strings — sdvro.netTagscommand-and-control Ports
HTTP Sessions
WhoisDomain Name: SDVRO.NET Domain Name: sdvro.net Relationships
DescriptionThis domain did not resolve to an IP address at the time of analysis. 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0aeTagsremote-access-trojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis file is a 32-bit Windows executable file that is dropped and executed by 448838B2A60484EE78C2198F2C0C9C85. The file is called ‘mediaplayer.exe’. When executed, it will look for a file called ‘Junk9’ and will attempt to delete it. The file ‘Junk9’ was not available for analysis. Next, it will take a screenshot of the user’s desktop and name it ‘Filter3.jpg’ and store this in the local directory. The program then looks for a service called ‘TaskFrame’ and attempts to start it. The ‘TaskFrame’ service is able to delete, add, or modify registry keys, and start and stop a keylogger program on the system. If the ‘TaskFrame’ service is already installed and running the program will terminate. The malware will create a mutex on the system called ‘Globalmukimukix’. The program changes the proxy configuration of the system with the following registry modifications: — Begin Registry Modification — The program collects the computer name, user name, OS version, adapter information, memory usage, and logical drives for the system. This information is concatenated into a string that is hashed and sent as part of the initial POST request to the C2. The program will expect to receive a ‘200 OK’ response from the C2 before it begins transmission. If it receives a ‘501 Error’ the program sleeps for three seconds and attempts another connection. If the initial connection to the C2 is successful, the program will await a command. The program is capable of executing the following tasks from commands issued by the C2: — Begin Program Capabilities — 1. Create, Write, and Delete files. — End Program Capabilities — The program will also look for the following paths: SetupUi, AppIni, and ExtInfo. The purpose for this search could not be determined. 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057faTagsremote-access-trojan Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis artifact is a 32-bit Windows executable that is dropped by 448838B2A60484EE78C2198F2C0C9C85. This program has some anti-forensic capability and is designed to clear indicators of compromise (IOCs) from the system. The program first verifies that the service ‘TaskFrame’ is running then adds the following key to the registry: — Begin Registry Modification — This modification insures that the file is deleted with the next system restart. The program will also delete the user’s ‘index.dat’ file thus removing the user’s recent Internet history from the system. Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”. Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov. |
Revisions
- October 1, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.