CyberWire Daily - SysJoker backdoor masquerades as benign updates. [Research Saturday]
Episode Date: February 12, 2022Guests Avigayil Mechtinger and Ryan Robinson from Intezer discuss SysJoker malware, a backdoor that targets Windows, Linux and MacOS, Malware targeting multiple operating systems has become no excepti...on in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, the team at Intezer discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. Intezer named this backdoor SysJoker. SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, Intezer found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, Intezer estimates that the SysJoker attack was initiated during the second half of 2021. The research can be found here: New SysJoker Backdoor Targets Windows, Linux, and macOS Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So basically, SysJoker was found during an active attack on a Linux-based web server.
And after some research, we found out that SysJoker actually has Mac and Windows versions.
Joining us today are Avagail Mektinger and Ryan Robinson, both security researchers at Intezer.
The research is titled, New SysJoker Backdoor Targets Windows, Linux, and macOS. Yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation, and detecting threats using AI Thank you. scaler.com slash security. All right, well, let's walk through this together. Can we go through
your technical analysis here? What exactly is going on with SysJoker?
Yeah, so I'll mention some few points before I dive into the technical analysis.
That's Abigail Mechtinger so
basically um sysjoker masquerades as a system update um and it has persistent capabilities
this means that it can survive reboot on on the machine and based on sysjoker's capability
and we assess that the goal of the attack is esponage, and also it has lateral movement capabilities,
which might also lead to a ransomware attack as one of the next stages.
Now if we go a bit more technically and high level, so first it will copy itself to a new
directory masquerading as something benign on the machine. After that, it will start collecting information of the compromised machine
using living off the land commands.
For Windows, it's PowerShell.
And then it will send the information of the machine
to the command and control server as a first handshake.
And then it will ping to the command and control server
and wait for an instruction.
And if there is an instruction, it will parse it and send the response back to the C2.
Now, since Joker has full backdoor capabilities, it can receive two different instructions from
the C2, basically. The first one is CMD, which means run a command provided by the attacker
and send the response back to the C2.
And the second command is EXE,
which means drop an executable from a provided URL and run it.
Okay, this is really in a high level.
Now, SysTorquer has an interesting way to resolve its C2, its command and control.
It will first contact a hard-coded Google Drive URL, which hosts a domain.txt file.
And this file contains a Base64 decoded address.
It will then decode this address with a hard-coded XOR key.
And this key is also used for decoding and encoding strings from within the binary itself,
and also data sent and received from the C2.
Yeah, Ryan, would you like to continue with some more interesting points about this malware?
So it may just be reiterating what you've said mostly. When it's first executed
on the machine, it will copy itself to a location where it masquerades as something quite benign.
So it does, so just like a system update or like a script file. In the Windows version, there is,
since Windows malware is quite often better detected
through security tooling,
it appears to have a first stage that uses PowerShell
to sort of drop and execute the SysJoker payload.
So it does, but that doesn't exist on the Mac and the Linux versions.
What is interesting about the Linux version
is that they have sort of made an operational security gaffe
is that they have not stripped the binary.
So artifacts of what they actually called the the function names and all they're
still in there and also interesting as well they have a logging system in place so what the malware
does it will write this down so well into like a log and it kind of assists with analysis a lot, really. So it does.
The logging is sort of the same in the Mac version,
but the functions have been stripped in that.
What is also interesting about the Mac version
is that it's compiled for a multi-arch.
Therefore, we can probably assume that they want that to run
on both the Intel versions of Mac and newer Mac machines
that have the Apple M1 chip. It has an ARM version
packed within that too. So do you have any insights on
how someone would find themselves
infected with this? In other words, do we have a sense for
who they're targeting and some of
the specific ways that they'll get this onto and their target systems? So in regards to who they're
targeting, definitely they have a interest in academical and science institutions. We can see
this obviously through the compromise victim that we know of personally and that we've worked with.
But also you can see in the domains that they have created.
So one of the domains that they've created is called the Hooket Lab.
And this is a piece of software that's used by academical institutions, universities, colleges, and all for like facilities management.
If you were to see this in your network,
it looks like normal academic traffic per se.
So it seems to be quite an interest within that field.
And also due to links that have sort of been on Twitter,
some other people have given attributions,
there appears to be related through passive DNS pivoting.
It appears that there is a related file that is a weaponized Microsoft Office Word file
that deals with science as well that may be used as a first stage to deliver the malware.
well that may be used as a first stage to deliver the malware.
Also, from a personal experience, we know that this malware was dropped in another instance through a reverse shell that was spawned through an exploited Apache web server.
What is your advice in terms of folks detecting this and protecting themselves against infection
to begin with?
To begin with, there are many security practices.
First of all, checking that you're running the most updated systems
and best practices of the configurations.
It really differs whether you have a server or an endpoint and so on.
There are many security practices. so if we're talking about
the servers then what i mentioned there's this configuration and being updated to the latest
services and if we're talking of an endpoint you can do a fishing courses for the employees
and so on complex passwords and you know the list the list goes on but as for detecting
if you have been compromised i can loop you back to the to the blog that we wrote where we provided
detection content which can really help you um searching via your edDR or SIEM really easily. And we also published another blog that explains
how with the OS queries. So there is information for that as well. So how widespread is this? And
are you seeing that this actor is still active out there making this an ongoing campaign?
actor is still active out there making this an ongoing campaign? So we have not observed many samples in the wild, and this suggests that the attacks are limited in scope. Actually, the C2 was
up and running when we analyzed the files, and it actually changed three times during our analysis,
which indicated that during our analysis, the attacker was, you
know, was monitoring, was there, was updating its C2.
But after the publication, the Google Drive links went down.
And I think this kind of shut down some of the samples that we found.
It could be that there will be new samples with new Google Drive links that will generate new C2s.
It kind of provides them a way to go under the radar when they use this domain of Google.
But for the samples that we found now, they don't have the ability to resolve the C2. our thanks to avigail mechtinger and ryan robinson from inteser for joining us
the research is titled new sysjoker backdoor targets windows linux and mac os
we'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Trey Hester,
Brendan Karp,
Eliana White,
Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Thanks for listening.
We'll see you back here next week.