Slouthfulmedia: What is Slouthfulmedia and How Does it Work?

Slouthfulmedia is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.Slouthfulmedia affects the following operating systems: Windows.

Slouthfulmedia Malware Capabilities

Slouthfulmedia may use a variety of methods to evade detection and avoid network filtering, including hiding files and using application layer protocols associated with web traffic. They may also try to gather information about registered local system services, and may delete files left behind by their intrusion activities. Additionally, Slouthfulmedia may abuse the Windows service control manager to execute malicious commands or payloads, and may also steal data by exfiltrating it over an existing command and control channel.

Additionally, the malware may collect information about a system in order to determine how to best infect it and/or what actions to take once it has been infected. This may include information about the operating system and hardware, running processes, and users. This information may be used to create or modify Windows services for persistence, or to disable critical services. Slouthfulmedia may also transfer tools or other files from an external system into the compromised environment.

• Slouthfulmedia is a form of malware that uses application layer protocols to avoid detection and network filtering. It may also try to gather information about registered local system services. Additionally, Slouthfulmedia may delete files that are left behind by its intrusion activity.
• Slouthfulmedia may abuse the Windows service control manager to execute malicious commands or payloads. Additionally, Slouthfulmedia may search local system sources for files of interest and sensitive data prior to exfiltration. Finally, Slouthfulmedia may attempt to get a listing of network connections to or from the compromised system or from remote systems.
• Slouthfulmedia malware may steal data by exfiltrating it over an existing command and control channel, and may also set files and directories to be hidden in order to evade detection. Additionally, the Windows command shell may be abused for execution.
• Slothfulmedia malware may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. This information may be used to shape follow-on behaviors, including whether or not the malware fully infects the target and/or attempts specific actions. Additionally, Slothfulmedia may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. Finally, the malware may stop or disable services on a system to render them unavailable to legitimate users.
• Slouthfulmedia may attempt to collect information about users and running processes on a system in order to determine which actions to take next. They may use legitimate file and resource names to evade defenses and observation.
• Slouthfulmedia may use process injection to evade detection and elevate privileges. They may also transfer tools or files from an external system to the victim network, and interact with the Windows Registry to hide configuration information.
• The Slouthfulmedia malware may attempt various discovery activities on a host or network share, including enumerating files and directories, or searching for specific information within a file system. It may also take screen captures, and manipulate the names of tasks or services to make them appear legitimate.

Ways to Mitigate Slouthfulmedia Malware Attacks

• Slothfulmedia can be mitigated by analyzing network data for uncommon data flows, system and network discovery techniques, and monitoring for command-line deletion functions.
• SlothfulMedia malware attacks can be mitigated by changes to service registry entries and command-line invocation of tools. Additionally, system and network discovery techniques should be used to identify potential malicious activity.
• Slothfulmedia can be mitigated by analyzing network data for unusual activity, monitoring the file system for suspicious activity, and restricting the use of scripts on systems where they are not commonly used.
• SlothfulMedia can be mitigated by monitoring processes and command-line arguments for actions that could create or modify services. Additionally, service binary paths may be changed to execute commands or scripts, so collecting this data for analysis is important. Finally, monitoring processes and command-line arguments to see if critical processes are terminated or stop running can help identify this type of attack.
• Slothfulmedia can be mitigated by system and network discovery techniques. Data and events should be viewed as part of a chain of behavior that could lead to other activities. Collecting file hashes and monitoring file names and locations can help to identify suspect files.