On October 1, 2020, the DHS CISA agency released information about a malware family called SlothfulMedia, which they have attributed to a sophisticated threat actor.
On October 1, 2020, the DHS CISA agency released information about a malware family called SlothfulMedia, which they have attributed to a sophisticated threat actor. A closer look into the report helped reveal that Kaspersky has been tracking this set of activity since June 2018 and previously dubbed the actor behind it as IAmTheKing. Based on its activity, the researchers identified the group as a state-sponsored actor, whose primary focus is on collecting intelligence from high-profile entities, mainly in Russia.
While the public has only recently been made aware of this set of activity, IAmTheKing has been very active for a few years. The actor possesses a rapidly evolving toolset and has mastered traditional penetration testing methodologies and a solid command of Powershell – a task automation and configuration management tool.
In the last couple of years, Kaspersky researchers were able to discover three malware families developed by the same threat actor, which they refer to as KingOfHearts, QueenOfHearts and QueenOfClubs – a family identified by DHS CISA as SlothfulMedia. All three malware families are backdoors – programs, which provide remote access to the infected device. However, the toolset used by the threat actor also includes an extensive arsenal of Powershell scripts, a JackOfHearts dropper and screenshot capture utility.
Primarily employing spear phishing techniques, the attackers infected victims’ devices with malware and then leveraged well-known security testing programs to compromise additional machines on the network.
Until very recently, IAmTheKing had focused exclusively on collecting intelligence from high-profile Russian entities. Victims include government bodies and defense contractors, public development agencies, universities and energy companies. However, in 2020, Kaspersky discovered rare incidents involving IAmTheKing in Central Asian and Eastern European countries. The DHS CISA has also reported on activity in the Ukraine and Malaysia. It is unclear whether the change target locations indicates that the actor is adapting its strategy or its toolset is now being used by other actors.
“IAmTheKing has been operating for a few years now and its activity is very specific, while its toolset, albeit well-developed, could not be regarded as technically outstanding. Now, following the public announcement of this threat actor, more organizations will be looking into its toolset. That is why we wanted to offer the data we have collected so far, to foster community cooperation and help other cybersecurity specialists build protection against this threat actor. It is important to note, however, that now that IAmTheKing is public, it might try to adapt and upgrade its toolset further. We will continue to investigate this threat actor and share information about its’ activity with our customers”, comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research and Analysis Team.
Read more about IAmTheKing’s toolset on Securelist.
To stay safe from threats, such as IAmTheKing’s malware, Kaspersky recommends the following advice:
- Trace threats using YARA rules. Learn more about threat hunting with YARA via Kaspersky online training: https://kas.pr/o6u3
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
- Implement EDR solutions, such as Kaspersky Endpoint Detection and Response for endpoint level detection, investigation and timely remediation of incidents. It is capable of detecting attacks that leverage legitimate software.
Implement a corporate-grade security solution such as Kaspersky Anti Targeted Attack Platform, in addition to adopting essential endpoint protection. This will detect advanced threats at the network level at an early stage.
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
