SysJoker, a new multi-platform backdoor that attacks Windows, Mac, and Linux operating systems was discovered in December 2021 and has been used to target a leading educational institution amongst other undisclosed organizations. The Linux and Mac versions of the malware were fully undetected in leading threat feeds up until the past few days. Victimology and the advanced nature of the malware suggest it was created by an advanced threat actor to target specific victims. Barracuda MSP has loaded Indicators of Compromise relating to this malware into SKOUT Log and Network Security Monitoring to protect Barracuda SKOUT Managed XDR Partners.
Technical Detail & Additional Information
WHAT IS THE THREAT?
SysJoker is a backdoor that targets multiple operating systems. First discovered during an active attack on a Linux-based web server of a leading educational institution, it is also known to have Mach-O and Windows PE versions. SysJoker masquerades as a system update and establishes command and control (C2) by decoding a string retrieved from a text file hosted on Google Drive. During analysis by the security firm Intezer that discovered the malware, the C2 address changed three times, indicating that the attacker is active and monitoring for infected machines. The likely attack vector for this malware is via an infected npm package. SysJoker’s behavior is similar for all three operating systems; however, unlike the Mac and Linux samples, the Windows version contains a first-stage dropper that drops a zipped SysJoker from C2, copies it to C:\ProgramData\RecoverySystem\recoveryWindows.zip, unzips it, and executes it via PowerShell commands. SysJoker creates persistence by adding an entry to the registry run key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then begins its C2 communication. So far, the C2 has not responded with a next stage instruction during analysis.
WHY IS IT NOTEWORTHY?
There are several noteworthy points about this malware that lead to the likely conclusion that it was designed and is currently being used by an advanced threat actor:
- The malware is sophisticated and tailored for each operating system it targets. Until the past few days, both the macOS and Linux samples went fully undetected in popular threat feeds.
- The code was written from scratch and not previously used in other attacks. This includes the Linux code, and it is rare to find previously unseen Linux malware used in a live attack.
- During analysis by Intezer, there was no second stage of the attack or next command sent from the attacker, suggesting that the attacks are specifically aimed towards the targeted organization(s). This is typical behavior of an advanced threat actor looking to go after specific institutions.
In addition to potential espionage and lateral movement, a SysJoker infection could lead to a ransomware attack at a later stage.
WHAT IS THE EXPOSURE OR RISK?
Based on victimology and malware behavior, it is likely that SysJoker is after specific institutions. However, even if you do not believe your organization to be a likely target of an advanced threat actor, that does not necessarily mean you are necessarily safe. Because the responsible threat actors have not publicly disclosed their targets, your organization could also be attacked or considered a target. Additionally, techniques and pieces of the malware could be reused by different threat actors to target other organizations in the future.
WHAT ARE THE RECOMMENDATIONS?
To protect your environment against SysJoker, take the following steps:
- At this time, Barracuda MSP has loaded in the following Indicators of Compromise into our Security Operations Center to help Partners monitor for suspicious activity.
- Deploy endpoint protection in your environment. Endpoint protection will block stages of the malware execution process. For example, the Windows version of the malware requires PowerShell commands to run, so endpoint protection that employs Script Control will prevent successful execution of those commands.
- If you have been compromised, take the following steps:
- Kill the processes related to SysJoker, delete the relevant persistence mechanism, and all files related to SysJoker. You can find those here.
- Make sure that the infected machine is clean by running a memory scan.
- Investigate the initial entry point of the malware. Be sure to check the configuration status and password complexity for publicly facing services, used software versions, and possible known exploits.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.