October 6


SLOTHFULMEDIA: The New Remote Access Trojan

Last week the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF) identified a new malware variant dubbed SlothfulMedia, which has been used by a "sophisticated cyber actor."

A trojan is a type of malware often disguised as legitimate software to misleads users of its real intent and takes control of its system. Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Unlike viruses, Trojans require user interaction to be executed.

How does Slothfulmedia work?

To explain Slothfulmedia, CISA and CNMF did an extensive analysis where they found that this malware is a dropper that deploys two files when it is executed.

The first file is a Remote Access Tool (RAT) named 'mediapleyes.exe' designed for Command and Control (C2) of the system, terminate processes, run arbitrary commands, take screenshots and modify the registry and files. The communication with the C2 controller seems to be handle via HTTP/HTTPS and TCP. The malware uses the fixed User-Agent string, "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75" in its communication

The second file deletes the dropper after the RAT (mediapleyes.exe file) creates a service called "Task Frame," which ensures the RAT is loaded each time the system start. The 'Task Frame' service can delete, add, or modify registry keys, and start and stop a keylogger program on the system.

This malware is capable of clearing indicators of compromise (IOCs) from the system. After verifying that the "Task Frame" service is running, the program adds key and registries, ensuring that the file is deleted with the next system restart. The program will also delete the user's 'index.dat' file, removing the system's recent Internet history.

What can you do?

CISA and CNMF recommend reporting the activity to authorities (CISa & FBI CyWatch) and give the highest priority to mitigate this threat.

The following are some actions that you can take to prevent being a victim of this new trojan.

  • Maintain the antivirus and the system up-to-date and patched
  • Use strong passwords. If you can, use Active Directory authentication.
  • Create and enforce password policies
  • Restrict users' permission to install and run unwanted software applications
  • Implement Access Control List (ACLs)
  • Train users and Maintain awareness of the latest threats

To find out more about SlothfulMedia please visit:

About Allari

Allari implements customized service plans for IT Operations & Cyber-security which allow you to complete a higher volume of planned work, gain the capacity to innovate and help your business to win.

Subscribe to the best newsletter there is.

You won't regret it!


About the author

Gabriela Granda

I am a Systems Engineer specialized in security and networking. I'm interested in defensive security and forensics.

You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}