A brand-new multiplatform malware, likely distributed via malicious npm packages, is spreading under the radar with Linux and Mac versions going fully undetected in VirusTotal, researchers warned.
The Windows version, according to a Tuesday writeup from Intezer, has only six detections as of this writing. These were uploaded to VirusTotal with the suffix “.ts,” which is used for TypeScript files.
Dubbed SysJoker by Intezer, the backdoor is used for establishing initial access on a target machine. Once installed, it can execute follow-on code as well as additional commands, through which malicious actors can carry out follow-on attacks or pivot to move further into a corporate network. This kind of initial access is also a hot commodity on underground cyberforums, where ransomware groups and others can purchase it.
It was first seen in December during a cyberattack on a Linux-based web server of a “leading educational institution,” researchers said. Looking at its command-and-control (C2) domain registration and other sample data, this trickster appears to have been cooked up in the second half of 2021, they added.
A possible attack vector for SysJoker is an infected npm package, according to Intezer’s analysis – an increasingly popular vector for dropping malware on targets. Npm and other public code repositories are centralized developer communities where coders can upload and download building blocks for building applications. If one of these building blocks is malicious, it can be pulled into any number of apps, ready to strike any users of those infected projects.
SysJoker’s Infection Routine
Once it finds a target, SysJoker masquerades as a system update, researchers said, to avoid suspicion. Meanwhile, it generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.
“During our analysis the C2 has changed three times, indicating the attacker is active and monitoring infected machines,” researchers noted in the report. “Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.”
SysJoker’s behavior is similar for all three operating systems, according to Intezer, with the exception that the Windows version makes use of a first-stage dropper.
After execution, SysJoker sleeps for a random amount of time, between a minute and a half and two minutes. Then, it will create the C:\ProgramData\SystemData\ directory and copy itself there using the file name “igfxCUIService.exe” – in other words, it masquerades as the Intel Graphics Common User Interface Service.
After gathering system information (mac address, user name, physical media serial number and IP address), it collects the data into a temporary text file.
“These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named ‘microsoft_Windows.dll,'” researchers noted.
SysJoker will then establish persistence by adding an entry to the registry run key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.” Between each of these stages of infection, it sleeps for a random period of time.
Establishing C2 Communication
To establish a connection with the C2, SysJoker first decodes a hardcoded Google Drive link using a hardcoded XOR key, researchers observed. It uses the same key to encrypt information sent back and forth to and from the C2, they added.
That Google Drive link opens a text file named “domain.txt” that holds an encoded C2 (the address changes dynamically according to server availability). The link decodes the C2 and sends the previously collected machine fingerprinting data over, according to the analysis. The C2 replies with a unique token – an identifier for that particular infection that it will use to ping the C2 for instructions.
SysJoker can receive various commands, including “exe,” “cmd,” “remove_reg” and “exit” – only two of which were enabled at the time of Intezer’s analysis.
“remove_reg and exit are not implemented in this current version,” researchers explained. “Based on the instruction names, we can assume that they are in charge of self deletion of the malware.”
The exe command is in charge of dropping and running an executable.
“SysJoker will receive a URL to a .ZIP file, a directory for the path the file should be dropped to and a filename that the malware should use on the extracted executable,” according to Intezer. “It will download this file, unzip it and execute it.”
After execution, the malware will reply “success” if the file was successfully installed or “exception” if not.
The cmd command is for running next-stage instructions.
“SysJoker will decode the command, execute it and upload the command’s response to the C2 via /api/req/res API,” researchers explained. “[But] during our analysis, the C2 hasn’t responded with a next stage instruction.”
How to Detect & Mitigate SysJoker Malware
Even though VirusTotal detections are low to non-existent for SysJoker, Intezer provided some tips for determining whether it has jested its way onto a network.
Users or admins can first use memory scanners to detect a SysJoker payload in memory. They can also use detection content to search endpoint detection and response (EDR) and security information and event management (SIEM) platforms (Intezer’s post has rich indicators of compromise and other data to help with this).
If a compromise is detected, victims can take the following steps, according to the firm:
- Kill the processes related to SysJoker, delete the relevant persistence mechanism and all files related to SysJoker.
- Make sure that the infected machine is clean by running a memory scanner.
- Investigate the initial entry point of the malware. If a server was infected with SysJoker during the course of this investigation, check:
- Configuration status and password complexity for publicly facing services, and
- Used software versions and possible known exploits.
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.