Earlier this month, a malware family called SlothfulMedia was found targeting victims in multiple countries. The malware family was attributed to a sophisticated threat actor. This C++ backdoor is the first element of this toolset. It comes in EXE or DLL variants, and it was distributed through spear-phishing e-mails containing malicious Word documents. The infection process relies on a PowerShell script that downloads from a remote server a base64-encoded payload hidden in an image file. The threat actor termed IAmTheKing uses different toolsets like SlothfulMedia, KingofHearts and QueenofHearts, etc.
Rather than developing sophisticated features, the malware developers instead opted to include anti-debugging and virtualization detection routines. Communications with the C2 server take place over HTTP(S), implemented with the wsdlpull open source library. The backdoor looks for new orders every second by sending a heartbeat to the C2 (the “HEART” command, hence the name).
We identified two main development branches: one of them sends url-encoded POST data, and the other one sends JSON objects. Both have been used concurrently and otherwise display the same capabilities. Victims targeted by this threat actor include government bodies and defense contractors, public agencies for development, universities and companies in the energy sector. Attacks were seen in Russia, Eastern Europe, Central Asia, as well as India, Ukraine and Malaysia.