ThreatConnect Research Roundup: SLOTHFULMEDIA RAT and Ryuk

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: SLOTHFULMEDIA RAT and Ryuk

Malware: SLOTHFULMEDIA RAT

 

In this Roundup, we highlight the threat Malware: SLOTHFULMEDIA RAT.

According to US-CERT: This file is a 32-bit Windows executable file that is dropped and executed by 448838B2A60484EE78C2198F2C0C9C85 (in the sample reviewed and published on by US-CERT). The file is called ‘mediaplayer.exe’. When executed, it will look for a file called ‘Junk9’ and will attempt to delete it. The file ‘Junk9’ was not available for analysis. Next, it will take a screenshot of the user’s desktop and name it ‘Filter3.jpg’ and store this in the local directory. The program then looks for a service called ‘TaskFrame’ and attempts to start it. The ‘TaskFrame’ service is able to delete, add, or modify registry keys, and start and stop a keylogger program on the system. If the ‘TaskFrame’ service is already installed and running the program will terminate.

Several files were identified via a YARA rule as the RAT component of SLOTHFULMEDIA, and the embedded configs were extracted using a SLOTHFULMEDIA Config Extractor (Ghidra script to extract out the config section of the SLOTHFULMEDIA RAT component). Based on this analysis, we identified the following C2 infrastructure:

Additionally, ThreatConnect Research identified the domain qnglsmc[.]com in 20201029D: Probable SLOTHFULMEDIA Related Infrastructure. This domain is probably associated to the actor behind SLOTHFULMEDIA/QueenOfClubs based on the overlapping IP 103.78.242[.]69 with sdvro[.]net and sharing the same registration timestamp, 2020-03-09T00:50:10Z, and registrar as tnelgnmc[.]com.

At this time we have no other information on the extent to which, if any, this infrastructure has been used maliciously.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20201109A: Ryuk Infrastructure Registered on 11/7/20 ThreatConnect Research identified a set of most likely Wizard Spider / UNC1878 / Ryuk domains registered on November 7 2020. These domains were registered through NameCheap, have similar strings compared to previously identified Ryuk infrastructure, and are hosted on dedicated servers from previously used ISPs. No related files or SSL certificates identified at this time.
  • 20201109D: Ryuk Infrastructure Registered on 11/8/20 ThreatConnect Research identified a set of most likely Wizard Spider / UNC1878 / Ryuk domains registered on November 8 2020. These domains were registered through NameCheap, have similar strings compared to previously identified Ryuk infrastructure, and are hosted on dedicated servers from previously used ISPs. No related files or SSL certificates identified at this time.
  • 20201107A: File Matching YARA Rule Associated to Mustang Panda PlugX  ThreatConnect Research identified a Mustang Panda PlugX binary and extracted Command and Control locations from the embedded configuration.
  • 20201104A: Instagram and TinyURL Spoofing Domains Hosted at 83.97.20[.]89 ThreatConnect Research identified three domains that were registered in early November 2020 through OrangeWebsite and are hosted on a probable dedicated server at 83.97.20.89. Per urlscan.io, one domain domain redirects to Instagram’s legitimate site, while the other two redirect to TinyURL. At this time, we don’t have any information on the extent to which this infrastructure has been used maliciously.
  • 20201105A: Suspicious Domains Registered Using wangsanli@tutamail[.]com ThreatConnect Research identified a suspicious domain registered through THCservers on April 29 2020 using wangsanli@tutamail[.]com. This domain went unhosted before resolving to a seemingly non-dedicated server at 103.230.180[.]30 starting around November 4 2020. The wangsanli@tutamail[.]com email address was also previously used to register the domain onlinedaily-stats[.]com (179.63.242[.]226) through Veeble on January 31 2020. These domains may also be associated with configstats[.]com (5.2.211[.]99), which was registered through Nemohosts on April 27 2020 and previously co-located with onlinedaily-stats[.]com. After registration through Nemohosts, configstats[.]com began using TopDNS name servers, which was something previously seen in Fancy Bear infrastructure in 2017. However, this name server isn’t unique to Fancy Bear and another actor could host their infrastructure similarly. At this time we have no information on the extent to which this infrastructure has been used maliciously, nor can we assess who it is associated with.
  • 20201105B: Suspicious Njalla Domains servinsideconn[.]com and innerserv20[.]com ThreatConnect Research identified two domains registered through Njalla on November 3 2020 about a minute apart and almost certainly are associated with the same actor. As of November 5 2020, the domains are hosted on probable dedicated servers at the aforementioned IPs. Per Censys, Let’s Encrypt SSL certificates were also created for the domains and their www subdomains on November 3 2020. We currently don’t have any information on the extent to which this infrastructure has been used maliciously.
  • 20201109B: Thallium Infrastructure Registered Through MonoVM ThreatConnect Research identified several domains recently registered through MonoVM using psh1968216@daum[.]net that most likely are associated with Thallium activity.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.