CISA and DoD Warn of Sophisticated Threat Actor Wielding New SlothfulMedia Malware


The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) have revealed that new malware dubbed SlothfulMedia is currently used by a sophisticated threat actor.

The two agencies published details on new malware they called SlothfulMedia, which attackers have already used in many countries, including India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and the Ukraine. A sample of the dropper was uploaded on Virustotal.

“The sample is a dropper, which deploys two files when executed,” reads the announcement. “The first is a remote access tool (RAT) named ‘mediaplayer.exe’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screenshots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).”

The second package is harmless, only designed to delete the dropper after the initial RAT gained persistence and can survive a reboot. If the infection succeeded, a new service named ‘Task Frame’ is created, allowing the RAT to load after reboot.

According to the description, this malware targets Windows devices, and the dropper is a 32-bit executable. The name ‘mediaplayer.exe’ is only there to fool a superficial inspection.

Recommendations from law agencies include keeping antivirus signatures and engines up to date, disabling printer files and sharing services, enforcing a strong password policy, and more.

The law agencies have yet to name the threat actors behind the new malware, but revealing the malware’s signatures and details will help security solutions more easily intercept SlothfulMedia.