Friday, March 29, 2024

SysJoker Malware Targets Windows, Mac & Linux to Steal Sensitive Data

A new multi-platform malware has been detected in the wild recently by the security experts at Intezer that is stealing users’ sensitive data from all the major platforms like:-

  • Windows
  • Mac
  • Linux

This malware has been named ‘SysJoker,’ and this malware comes with several stealthy features; among them comes the capability to circumvent detection on all three major operating systems that we have mentioned above.

In H2 2021, the first sample of the malware was uploaded and occurred with the C2 domain enrollment times. And in December 2021, the first signs of its activity on a Linux-based web server were identified by the experts.

SysJoker – A Stealthy Malware

SysJoker is developed using C++, whose every available variant is specifically designed for all the major operating systems.

But, how stealthy are they? The SysJoker malware is developed very carefully with all the stealthy features and abilities which allow it to evade the popular virus scanning site that utilizes the 57 distinct AV engines, VirusTotal.

Using the PowerShell commands, the SysJoker malware engages the first-stage dropper on Windows in the form of a DLL file, and once done, then performs the following actions:-

  • Fetch the SysJoker ZIP from a GitHub repository, 
  • unzip it on “C:\ProgramData\RecoverySystem\”,
  • execute the payload.

The malware then sleeps for up to two minutes before creating a new directory and copies itself as an Intel Graphics Common User Interface Service (“igfxCUIService.exe”).

Now, next, using the Living off the Land (LOtL) commands, the malware starts collecting the information about the system, and then it logs the results of the commands in different temporary text files.

When the logged data get stored in a JSON object which is named “microsoft_Windows.dll,” it immediately deletes all the temporary text files with the logged results.

By adding a new registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run), SysJoker creates persistence in the compromised system, and then it starts gathering the system and network data.

And to make everything authentic, it also automatically programs the compromised systems with random sleep times. While apart from this, the hackers use Google Drive’s complex link to proceed further and reach the C2 server managed by the attackers.

In the first stage infection chain, the system information gets collected, and here it’s sent to the C2, which replies back with a unique token that is served as an identifier of the infected endpoint.

However, in the case of macOS and Linux, it doesn’t perform any first-stage infection chain by dropping any dropper. As here, on the infected device, it directly starts performing the same malicious activities without any stage limitations.

C2 Domains

Here is the list of C2 domains used by the threat actors:-

  • https[://]bookitlab[.]tech
  • https[://]winaudio-tools[.]com
  • https[://]graphic-updater[.]com
  • https[://]github[.]url-mini[.]com
  • https[://]office360-update[.]com
  • https[://]drive[.]google[.]com/uc?export=download&id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn
  • https[://]drive[.]google[.]com/uc?export=download&id=1W64PQQxrwY3XjBnv_QaeBQu-ePr537eu

Mitigations

If you want to check whether your system is infected or not, you can check by following things that we have mentioned below for all three OS:-

Windows: On Windows OS, you have to check C:\ProgramData\RecoverySystem” folder, at C:\ProgramData\SystemData\igfxCUIService.exe, and C:\ProgramData\SystemData\microsoft_Windows.dll.

macOS: On macOS, you have to check “/Library/” and persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist.

Linux: On Linux, you have to check “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem).

After analyzing, if you found that your system is compromised, then you have to follow the things that we have mentioned below:-

  • All the processes related to the malware have to be killed.
  • You have to delete all the files and the relevant persistence mechanisms manually.
  • To ensure that all malicious files have been uprooted, you have to run a memory scanner.
  • Examine all the potential entry points.
  • Properly check firewall configurations.
  • Keep all the existing tools and software updated.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles