[MART] - Daily Diary #430 - Meet SysJoker Backdoor

CTAS-MAT ctas-mat at appgate.com
Wed Jan 12 22:51:00 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

01/12/2022 - Diary entry #430:

SysJoker is a multi-platform Backdoor malware spotted in December 2021 during an attack targeting a Linux-based web server of an educational institution. Written in C++, each variant is crafted for the targeted operating system (Windows, Linux, or macOS). The Windows variant has a first-stage dropper DLL.

Once executed on Windows, SysJoker gathers information about the machine by running PowerShell commands, using the technique known as Living off the Land. It collects MAC address, user name, physical media serial number, and IP address, and sends the data to the C2. Then, it creates persistence via Registry Key.

SysJoker disguises as a system update and generates its C2 from a text file hosted on Google Drive. This is a common technique among malware, to host encoded C2 addresses on trusted public services, making it harder to get blocked on common firewall appliances. As soon as it establishes a connection, the C2 may instruct the backdoor to install additional malware, run commands on the infected device, or remove itself from the registry as a kill switch.

Since no second-stage payload was witnessed yet, nor any command was sent by the attacker, SysJoker is probably being used on targeted attacks or for espionage purposes.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220112/86e58645/attachment.htm>

More information about the MART mailing list