On October 1, 2020, the DHS CISA agency released information about a malware family called SlothfulMedia, which they have attributed to a sophisticated threat actor.
A closer look into the report helped reveal that Kaspersky has been tracking this set of activity since June 2018 and previously dubbed the actor behind it as IAmTheKing. Based on its activity, the researchers identified the group as a state-sponsored actor, whose primary focus is on collecting intelligence from high-profile entities, mainly in Russia.
While the public has only recently been made aware of this set of activity, IAmTheKing has been very active for a few years. The actor possesses a rapidly evolving toolset and has mastered traditional penetration testing methodologies and a solid command of Powershell a task automation and configuration management tool.
In the last couple of years, Kaspersky researchers were able to discover three malware families developed by the same threat actor, which they refer to as KingOfHearts, QueenOfHearts and QueenOfClubs – a family identified by DHS CISA as SlothfulMedia. All three malware families are backdoors – programs, which provide remote access to the infected device. However, the toolset used by the threat actor also includes an extensive arsenal of Powershell scripts, a JackOfHearts dropper and screenshot capture utility.
Primarily employing spear-phishing techniques, the attackers infected victims’ devices with malware and then leveraged well-known security testing programs to compromise additional machines on the network.
Until very recently, IAmTheKing had focused exclusively on collecting intelligence from high-profile Russian entities. Victims include government bodies and defense contractors, public development agencies, universities and energy companies. However, in 2020, Kaspersky discovered rare incidents involving IAmTheKing in Central Asian and Eastern European countries. The DHS CISA has also reported on activity in the Ukraine and Malaysia. It is unclear whether the change target locations indicates that the actor is adapting its strategy or its toolset is now being used by other actors.
“IAmTheKing has been operating for a few years now and its activity is very specific, while its toolset, albeit well-developed, could not be regarded as technically outstanding. Now, following the public announcement of this threat actor, more organizations will be looking into its toolset. That is why we wanted to offer the data we have collected so far, to foster community cooperation and help other cybersecurity specialists build protection against this threat actor. It is important to note, however, that now that IAmTheKing is public, it might try to adapt and upgrade its toolset further. We will continue to investigate this threat actor and share information about its’ activity with our customers”, comments Ivan Kwiatkowski, a senior security researcher at Kaspersky’s Global Research and Analysis Team.
Read more about IAmTheKing’s toolset on Securelist.
