Use these with your EDR to hunt for infected machines. We provided you with IoCs and a rich list of detection content for each operating system below. Use detection content to search in your EDR or SIEM. The figure below shows an example of an endpoint infected with SysJoker:Ģ. The Endpoint Scanner will provide you with visibility into the type and origin of all binary code that resides in your machine’s memory. For Windows machines, use Intezer’s Endpoint Scanner.For Linux machines, use Intezer Protect to gain full runtime visibility over the code in your Linux-based systems and get alerted on any malicious or unauthorized code.Use memory scanners to detect SysJoker payload in memory To detect if a machine in your organization has been compromised, we recommend taking the following steps:ġ. IDA code snippet of the parsing function, building cmd command response.ĭuring our analysis, the C2 hasn’t responded with a next stage instruction. Both the macOS and Linux samples are fully undetected in VirusTotal.
The malware is written in C++ and each sample is tailored for the specific operating system it targets. A possible attack vector for this malware is via an infected npm package.īelow we provide a technical analysis of this malware together with IoCs and detection and response mitigations. SysJoker was uploaded to VirusTotal with the suffix. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.
During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. Based on Command and Control (C2) domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was initiated during the second half of 2021. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions. SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. The Linux and Mac versions are fully undetected in VirusTotal. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. Vermilion Strike, which was documented just last September, is among the latest examples until now. Malware targeting multiple operating systems has become no exception in the malware threat landscape.
0 kommentar(er)
