SlothfulMedia (Malware Family)

SlothfulMedia

aka: QueenOfClubs
VTCollection
According to MITRE, SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.
References

2020-10-15 ⋅ Kaspersky Labs ⋅ Félix Aime, Ivan Kwiatkowski, Pierre Delcher
IAmTheKing and the SlothfulMedia malware family
SlothfulMedia
2020-10-01 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-275A): Remote Access Trojan: SLOTHFULMEDIA
SlothfulMedia
Yara Rules

[TLP:WHITE] win_slothfulmedia_auto (20230808 | Detects win.slothfulmedia.)
rule win_slothfulmedia_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.slothfulmedia."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 5f 8d4638 5e }
            // n = 4, score = 200
            //   e9????????           |                     
            //   5f                   | pop                 edi
            //   8d4638               | lea                 eax, [esi + 0x38]
            //   5e                   | pop                 esi

        $sequence_1 = { 8938 8bd8 83c008 8945fc }
            // n = 4, score = 200
            //   8938                 | mov                 dword ptr [eax], edi
            //   8bd8                 | mov                 ebx, eax
            //   83c008               | add                 eax, 8
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_2 = { 68???????? be04010000 33c9 56 }
            // n = 4, score = 200
            //   68????????           |                     
            //   be04010000           | mov                 esi, 0x104
            //   33c9                 | xor                 ecx, ecx
            //   56                   | push                esi

        $sequence_3 = { 83c002 663bca 75f5 2bc6 d1f8 }
            // n = 5, score = 200
            //   83c002               | add                 eax, 2
            //   663bca               | cmp                 cx, dx
            //   75f5                 | jne                 0xfffffff7
            //   2bc6                 | sub                 eax, esi
            //   d1f8                 | sar                 eax, 1

        $sequence_4 = { 40 e8???????? bb04010000 53 8d85e0fdffff 50 }
            // n = 6, score = 200
            //   40                   | inc                 eax
            //   e8????????           |                     
            //   bb04010000           | mov                 ebx, 0x104
            //   53                   | push                ebx
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]
            //   50                   | push                eax

        $sequence_5 = { 8b835c040000 68???????? 0564010000 6a05 50 e8???????? 83c418 }
            // n = 7, score = 200
            //   8b835c040000         | mov                 eax, dword ptr [ebx + 0x45c]
            //   68????????           |                     
            //   0564010000           | add                 eax, 0x164
            //   6a05                 | push                5
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_6 = { 0fb7f0 f7de 6aff ff7508 }
            // n = 4, score = 200
            //   0fb7f0               | movzx               esi, ax
            //   f7de                 | neg                 esi
            //   6aff                 | push                -1
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_7 = { 8d444606 83c410 0375f0 891c08 ff45fc }
            // n = 5, score = 200
            //   8d444606             | lea                 eax, [esi + eax*2 + 6]
            //   83c410               | add                 esp, 0x10
            //   0375f0               | add                 esi, dword ptr [ebp - 0x10]
            //   891c08               | mov                 dword ptr [eax + ecx], ebx
            //   ff45fc               | inc                 dword ptr [ebp - 4]

        $sequence_8 = { 6689442414 e8???????? 83c40c 6a00 ff15???????? }
            // n = 5, score = 100
            //   6689442414           | mov                 word ptr [esp + 0x14], ax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_9 = { ff15???????? 8b8c2410020000 5f 5e 33cc 33c0 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8b8c2410020000       | mov                 ecx, dword ptr [esp + 0x210]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33cc                 | xor                 ecx, esp
            //   33c0                 | xor                 eax, eax

        $sequence_10 = { 68???????? ffd6 85c0 7507 ffd7 83f805 }
            // n = 6, score = 100
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   ffd7                 | call                edi
            //   83f805               | cmp                 eax, 5

        $sequence_11 = { 5e 33cc 33c0 e8???????? 81c40c020000 c21000 3b0d???????? }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   33cc                 | xor                 ecx, esp
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   81c40c020000         | add                 esp, 0x20c
            //   c21000               | ret                 0x10
            //   3b0d????????         |                     

        $sequence_12 = { 8d54240c 6a00 52 e8???????? 83c40c 6804010000 8d44240c }
            // n = 7, score = 100
            //   8d54240c             | lea                 edx, [esp + 0xc]
            //   6a00                 | push                0
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6804010000           | push                0x104
            //   8d44240c             | lea                 eax, [esp + 0xc]

        $sequence_13 = { 6a04 6a00 8d4c2410 51 ff15???????? 8b8c2410020000 5f }
            // n = 7, score = 100
            //   6a04                 | push                4
            //   6a00                 | push                0
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b8c2410020000       | mov                 ecx, dword ptr [esp + 0x210]
            //   5f                   | pop                 edi

        $sequence_14 = { 6a00 ff15???????? 8b35???????? 8b3d???????? 90 68???????? ffd6 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8b3d????????         |                     
            //   90                   | nop                 
            //   68????????           |                     
            //   ffd6                 | call                esi

        $sequence_15 = { 68d0070000 ff15???????? 33c0 6806020000 50 }
            // n = 5, score = 100
            //   68d0070000           | push                0x7d0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   6806020000           | push                0x206
            //   50                   | push                eax

    condition:
        7 of them and filesize < 122880
}
Download all Yara Rules
SlothfulMedia Propose Change

References

Yara Rules

SlothfulMedia
