New SlothfulMedia RAT Hack on Victim Machines to Run Arbitrary Commands, Take Screenshots

Recently, the CISA, along with the U.S. Department of Defense’s Cyber National Mission Force (CNMF), has warned regarding the new SlothfulMedis Rat that is used by sophisticated cyber attackers. Both the parties have published a malware analysis report that gives all the technical details of a new dropper traced as SlothfulMedia. 

CISA and CNMF are classifying this MAR to facilitate the network defense and diminished the exposure to the ill-disposed activity. The MAR covers all the suggested answer actions and advised mitigation methods.

Analysis Report

The analysis report results from analytic works that have been performed between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). 

In this malware variant, there are a total of two files that have been executed in operation. The first one is a remote access tool (RAT) named ‘mediaplayer.exe,’ and the other file has a casual five-character name, and it removes the dropper once the RAT has a resolution.

“Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screenshots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).” researchers said.

However, this persistence is being accomplished by producing a service named “Task Frame,” which secures the RAT is stored after a reboot. 

The users or administrators should flag activity linked with the malware and report all the activity to the CISA or the FBI Cyber Watch (CyWatch), and then give the activities the highest priority for improved moderation. 

Capabilities

• Create, Write, and Delete files.
• Open a Command-Line.
• Move Files.
• Enumerate Open Ports.
• Enumerate Drives.
• Enumerate Processes by ID, Name, or Privileges.
• Start and Stop Processes.
• Enumerate Files and Directories.
• Open a Named Pipe and Send and Receive Data.
• Take Screenshots.
• Inject into User Processes.
• Enumerate Services.
• Start/Stop Services.
• Modify the Registry.
• Open/Close TCP and UDP Sessions.

Recommendations

According to the CISA report, there are some easy recommendations that every user and administrator should follow appropriately to strengthen the security posture of their organization’s systems. Moreover, CISA also asserted that further configuration alterations should be checked by system owners and administrators to avoid unwanted attacks.

Here are the recommendations provided by the security experts at CISA:-

• Always manage up-to-date antivirus signatures and engines.
• Have all the operating system patches up-to-date.
• Impair File and Printer sharing services.
• Limit the users’ ability to install and run non-essential software applications.
• Keep a strong password policy.
• Perform regular password changes.
• Practice caution while opening e-mail attachments even if the attachment is assumed and the sender seems to be known.
• Allow a personal firewall on agency workstations, configured to reject unsolicited connection offers.
• Impair unnecessary services on agency workstations and servers.
• Browse for and remove suspicious e-mail attachments; secure that the scanned attachment is its “true file type.”
• Watch the users’ web browsing modes; restrict access to sites with objectionable content.
• Practice caution while using removable media.
• Examine all the software that has been downloaded from the internet before opening or installing it.
• Manage situational awareness of the most advanced threats and perform appropriate Access Control Lists (ACLs).

The security experts have suggested that every user should perform all these recommendations, as these recommendations will help them bypass all possible threats and attacks. 

Apart from this, CISA has affirmed that they would collect all the further information regarding this malware and notify publicly.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read: Microsoft Suspended 18 Azure Active Directory Apps That Operated by the Chinese APT Hackers