Friday, October 16, 2020
On October 1, 2020, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released information about a malware family called SlothfulMedia, which they have attributed to a sophisticated threat actor. A closer look into the report revealed that Kaspersky has been tracking this set of activity since June 2018 and previously dubbed the actor behind it IAmTheKing. Based on its activity, the researchers identified the group as a state-sponsored actor, whose primary focus is on collecting intelligence from high-profile entities, mainly in Russia.
While the public has only recently been made aware of this set of activity, IAmTheKing has been very active for a few years. The actor possesses a rapidly evolving toolset, has mastered traditional penetration testing methodologies and has a solid command of Powershell, a task automation and configuration management tool.
In the last couple of years, Kaspersky researchers discovered three malware families, all developed by the same threat actor, called KingOfHearts, QueenOfHearts and QueenOfClubs. DHS CISA identifies QueenOfClubs as SlothfulMedia. All three malware families are backdoors, a term for programs that provide remote access to an infected device. However, the toolset used by the threat actor also includes an extensive arsenal of Powershell scripts, a JackOfHearts dropper and screenshot capture utility.
Primarily employing spear phishing techniques, the attackers infected victims’ devices with malware and then leveraged well-known security testing programs to compromise additional machines on the network.
Until very recently, IAmTheKing had focused exclusively on collecting intelligence from high-profile Russian entities. Victims included government bodies and defense contractors, public development agencies, universities and energy companies. However, in 2020, Kaspersky discovered rare incidents involving IAmTheKing in Central Asian and Eastern European countries. The DHS CISA has also reported on activity in the Ukraine and Malaysia. It is unclear whether the changing target locations indicate that the actor is adapting its strategy or that its toolset is now being used by other actors.
“IAmTheKing has been operating for a few years now and its activity is very specific, while its toolset, albeit well-developed, could not be regarded as technically outstanding,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research and Analysis Team. “Now, following the public announcement of this threat actor, more organizations will be looking into its toolset. That is why we wanted to offer the data we have collected so far, to foster community cooperation and help other cybersecurity specialists build protection against this threat actor. It is important to note, however, that now that IAmTheKing is public, it might try to adapt and upgrade its toolset further. We will continue to investigate this threat actor and share information about its’ activity with our customers.”
Read more about IAmTheKing’s toolset on Securelist.
To stay safe from threats, such as IAmTheKing’s malware, Kaspersky recommends the following advice:
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.