New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

SysJoker – Advanced Multi-Platform Backdoor Opening 2022

SysJoker is a backdoor discovered in late December 2021 targeting Linux, macOS, and Windows. At that time, MacOS and Linux samples were fully undetected in VirusTotal. That has changed as of today as AV vendors have developed standard detections for the signatures.

The developers or group behind SysJoker are active and vigilant. Security research firm Intezer explains in a report that the command-and-control server (C2) changed multiple times during one of their engagements. “SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. During our analysis, the C2 changed three times, indicating the attacker is active and monitoring for infected machines.” The configuration file for the backdoor is hosted on a Google Drive account, which may make life a little more difficult if organizations have any blanket whitelisting in place for Google Drive infrastructure.

The group behind SysJoker appears to be advanced and is targeting specific entities with the goal of espionage, the ability to move laterally in the victim’s environment, and to deploy ransomware. The code for this malware was written from scratch and prior to this investigation, had no known samples, which is a rarity when researching Linux and MacOS malware.

Sample:

ELF

bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed

d028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3

Mac

1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac

Windows

61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c

Analyst Notes

In 2022, we need to understand that a reactive defense is no longer enough and that organizations need to employ a mature, effective, defense-in-depth security strategy that includes proactive measures. There are many well-planned frameworks available for defenders to begin learning about simple and effective steps when it comes to tailoring enriched and deliberate threat hunts. To bolster and reduce the burden of Security Operations Centers and Incident Response teams is to multiply cost-savings when dealing with an active harmful incident.

New SysJoker Backdoor Targets Windows, Linux, and macOS

https://objective-see.com/blog/blog_0x6C.html