Threat Thursday

SCYTHE Library: #ThreatThursday - SlothfulMedia

Written by Jorge Orchilles | Oct 8, 2020 4:00:00 AM

On October 1, 2020, US-Cert published a Malware Analysis Report (MAR) in relation to a new malware they have seen in the wild called SlothfulMedia. The report suggests this is a “sophisticated cyber actor” but as you will see, it seems like a very typical Remote Access Trojan. As usual, we will review the Cyber Threat Intelligence, create an adversary emulation plan, demonstrate the emulation, and discuss how to defend against this threat. We hope you enjoy it.

Cyber Threat Intelligence

US-CERT published this Malware Analysis Report (MAR) as the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as SlothfulMedia, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

Image from https://twitter.com/USCERT_gov/status/1311746481922154496  

The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).

The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.

Reading through the report provides more technical steps and details as to what the three malware strains perform. Of note is that the first dropper requires local administrative privileges to create a service which runs the second payload. This is strange to see as most malware is designed to operate with standard user privileges. We will create a plan that has the ability to run in both contexts.

This Cyber Threat Intelligence does not map to MITRE ATT&CK so we did the mapping and shared it as an ATT&CK Navigator JSON.

 

Tactic

Description

Command and Control

T1071.001 - Web Protocols - HTTP over 80/tcp

T1219 - Remote Access Software

Execution

T1059 - Command and Scripting Interpreter

T1059.003 - Windows Command Shell

Discovery

T1007 - System Service Discovery

T1010 - Application Window Discovery

T1057 - Process Discovery

T1082 - System Information Discovery

T1083 - File and Directory Discovery

Persistence

T1569 - System Service

Collection

T1074 - Data Staged

T1113 - Screen Capture

Impact

T1485 - Data Destruction

As usual we have created and shared the SlothfulMedia adversary emulation plan on our Github. This time we published a README.md for more details on how to emulate this particular malware.

To emulate:

  1. Import the threat into SCYTHE
  2. Create a campaign from threat
  3. Use HTTP or HTTPS over default TCP port (80 or 443 respectively)
  4. Set header to "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75"
  5. Set Timestamp to 2019-04-29T10:18:34
  6. Download the 32-bit EXE and rename to mediaplayer.exe

The synthetic malware will go through the 23 steps, including cleaning up of the files it created so you can run it over and over again as you test your detective and alerting controls.


Defend against SlothfulMedia

SlothfulMedia seems like a pretty generic Remote Access Trojan (RAT). Most of the features come built in to SCYTHE so you can test time and time again. In this section we will look at two areas that stick out from this particular threat: requiring local administrator privileges and a constant User-Agent. 

Local Administrator Privilege

 It requires local administrative rights on first execution to create a service. To defend against that, do not let your users login with local administrator accounts. If the user needs administrator privileges, they should have a secondary account and input the password for that account.

User-Agent

SlothfulMedia uses the same User-Agent on outbound connection. The User-Agent is sent as part of the HTTP request coming from the end user’s browser and going to the web server. Looking into the User-Agents that your users normally use and hunting for different ones is a great process to go through. To test this, use the HTTP communication module for clear text communication. Then look into blocking anything that is not what your user’s use. Remember User-Agents change as browsers are updated.

Figure 2: User-Agent string of HTTP request

Conclusion

While US-Cert classified this malware as coming from a “sophisticated cyber actor”, we have taken the Cyber Threat Intelligence, mapped it to MITRE ATT&CK, created an adversary emulation plan, shared the plan, demonstrated the emulation of the malware, and covered a couple of key methods to detect this threat. We hope you enjoyed this edition of #ThreatThursday.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io