‘Fully Undetected’ SysJoker Backdoor Malware Targets Windows, Linux & macOS

A model-new multiplatform malware, very likely distributed through malicious npm deals, is spreading underneath the radar with Linux and Mac variations likely thoroughly undetected in VirusTotal, researchers warned.

The Windows edition, in accordance to a Tuesday writeup from Intezer, has only 6 detections as of this crafting. These were uploaded to VirusTotal with the suffix “.ts,” which is utilised for TypeScript files.

Dubbed SysJoker by Intezer, the backdoor is utilised for creating first obtain on a target device. At the time installed, it can execute comply with-on code as properly as additional commands, as a result of which malicious actors can have out observe-on attacks or pivot to move additional into a corporate network. This type of original access is also a warm commodity on underground cyberforums, in which ransomware groups and others can acquire it.

It was initially viewed in December all through a cyberattack on a Linux-based web server of a “leading instructional establishment,” researchers explained. On the lookout at its command-and-manage (C2) domain registration and other sample knowledge, this trickster seems to have been cooked up in the next half of 2021, they extra.

A feasible attack vector for SysJoker is an contaminated npm deal, according to Intezer’s analysis – an progressively popular vector for dropping malware on targets. Npm and other community code repositories are centralized developer communities where by coders can upload and obtain creating blocks for creating applications. If 1 of these constructing blocks is destructive, it can be pulled into any selection of apps, prepared to strike any buyers of these infected tasks.

SysJoker’s An infection Plan

At the time it finds a goal, SysJoker masquerades as a system update, researchers mentioned, to keep away from suspicion. Meanwhile, it generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.

“During our evaluation the C2 has modified a few times, indicating the attacker is active and monitoring infected devices,” scientists mentioned in the report. “Based on victimology and malware’s actions, we assess that SysJoker is just after specific targets.”

SysJoker’s habits is related for all a few working devices, in accordance to Intezer, with the exception that the Windows model can make use of a initial-phase dropper.

Following execution, SysJoker sleeps for a random amount of time, involving a moment and a half and two minutes. Then, it will create the C:ProgramDataSystemData listing and duplicate itself there using the file name “igfxCUIService.exe” – in other text, it masquerades as the Intel Graphics Popular Consumer Interface Company.

Right after gathering program info (mac deal with, user name, bodily media serial selection and IP tackle), it collects the data into a short-term text file.

“These textual content data files are deleted quickly, saved in a JSON object and then encoded and prepared to a file named ‘microsoft_Windows.dll,’” researchers mentioned.

SysJoker will then establish persistence by adding an entry to the registry operate important “HKEY_Existing_USERSoftwareMicrosoftWindowsCurrentVersionRun.” In between each individual of these stages of an infection, it sleeps for a random period of time.

Establishing C2 Conversation

To create a link with the C2, SysJoker to start with decodes a hardcoded Google Push backlink applying a hardcoded XOR critical, scientists observed. It utilizes the exact important to encrypt info despatched back again and forth to and from the C2, they added.

That Google Push website link opens a textual content file named “domain.txt” that retains an encoded C2 (the handle alterations dynamically in accordance to server availability). The backlink decodes the C2 and sends the beforehand gathered device fingerprinting details above, according to the examination. The C2 replies with a unique token – an identifier for that specific infection that it will use to ping the C2 for guidelines.

SysJoker Instructions

SysJoker can acquire different commands, like “exe,” “cmd,” “remove_reg” and “exit” – only two of which were enabled at the time of Intezer’s examination.

“remove_reg and exit are not carried out in this current edition,” researchers stated. “Based on the instruction names, we can assume that they are in charge of self deletion of the malware.”

Exe Command

The exe command is in cost of dropping and functioning an executable.

“SysJoker will get a URL to a .ZIP file, a listing for the route the file ought to be dropped to and a filename that the malware should use on the extracted executable,” according to Intezer. “It will down load this file, unzip it and execute it.”

Right after execution, the malware will reply “success” if the file was successfully installed or “exception” if not.

Cmd Command

The cmd command is for working upcoming-phase guidance.

“SysJoker will decode the command, execute it and upload the command’s response to the C2 through /api/req/res API,” scientists discussed. “[But] in the course of our investigation, the C2 hasn’t responded with a future phase instruction.”

How to Detect & Mitigate SysJoker Malware

Even however VirusTotal detections are reduced to non-existent for SysJoker, Intezer furnished some strategies for identifying regardless of whether it has jested its way on to a network.

End users or admins can very first use memory scanners to detect a SysJoker payload in memory. They can also use detection written content to look for endpoint detection and reaction (EDR) and security details and function administration (SIEM) platforms (Intezer’s article has prosperous indicators of compromise and other facts to enable with this).

If a compromise is detected, victims can acquire the following methods, according to the firm:

Kill the processes linked to SysJoker, delete the related persistence system and all documents associated to SysJoker.

Make sure that the infected machine is clean up by managing a memory scanner.

Look into the preliminary entry place of the malware. If a server was contaminated with SysJoker throughout the class of this investigation, check out:

Configuration status and password complexity for publicly going through providers, and

Employed software program versions and probable regarded exploits.

Password Reset: On-Need Function: Fortify 2022 with a password-security technique crafted for today’s threats. This Threatpost Security Roundtable, developed for infosec experts, facilities on business credential management, the new password principles and mitigating put up-credential breaches. Be part of Darren James, with Specops Software package and Roger Grimes, protection evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this Free session today – sponsored by Specops Software program.