Home > News > SysJoker Malware Hits: Multi-OS Alert! 🚨💻

SysJoker Malware Hits: Multi-OS Alert! 🚨💻

dall·e 2024 02 15 16.43.36 create a feature image for the article titled sysjoker malware attacking windows linux and mac users abusing onedrive. the visual should capture th

SysJoker Malware Attacking Windows, Linux and Mac Users through OneDrive

SysJoker malware has been observed attacking Windows, Linux, and Mac users, abusing OneDrive. The malware is a multi-platform backdoor with several variants and was first identified by Intezer in 2021. Recently, it has been used in targeted attacks by a Hamas-affiliated APT to target Israel.

Researchers have disclosed the malware's growth, variations in the intricacy of its execution flow, and most recent switch to the Rust language and the recent infrastructure it uses. Additionally, the threat actor switched from using Google Drive to OneDrive to keep dynamic C2 (command and control server) URLs, allowing them to maintain an advantage over various reputation-based services. This behavior is constant throughout the various SysJoker versions.

Key Takeaways

  • SysJoker malware is a multi-platform backdoor that targets Windows, Linux, and Mac users, abusing OneDrive to keep dynamic C2 URLs.
  • The malware was first identified by Intezer in 2021 and has been recently used in targeted attacks by a Hamas-affiliated APT to target Israel.
  • Researchers have disclosed the malware's growth, variations in the intricacy of its execution flow, and most recent switch to the Rust language and the recent infrastructure it uses.

Live API Attack Simulation Webinar

Indusface's CTO, Karthik Krishnamoorthy, and VP of Products, Vivek Gopalan, will demonstrate how APIs can be hacked in an upcoming webinar. The session will include an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, and a DDoS attack on an API. They will also discuss how a WAAP can improve security over an API gateway.

Rust Version of SysJoker

SysJoker is a multi-platform malware that has been observed attacking Windows, Linux, and Mac systems. During its execution, the malware employs unpredictable sleep intervals, which could be anti-analysis or anti-sandbox methods. The malware uses OneDrive to reach a URL to obtain the C2 server address, which can be modified by attackers, giving them an advantage over other reputation-based services.

According to Checkpoint, the malware collects information about the infected system, including the Windows version, username, MAC address, and various other data. However, the Rust version of SysJoker lacks the capability to download and run remote files from an archive and execute operator-dictated commands, which was present in the earlier SysJoker activities.

It is important to note that the Rust version of SysJoker has been linked to Hamas-affiliated APTs targeting Israel. The malware was first identified by Intezer in 2021 and has recently been used in targeted attacks. The Rust version of SysJoker is a complete code rewrite in the Rust programming language, which suggests that the malware code was completely rewritten.

The malware has also been observed abusing launchagents and cron jobs on infected Mac and macOS systems, and Linux-based web servers. Therefore, it is important to take necessary precautions to protect against SysJoker's attacks.

Windows SysJoker Variants

Security researchers have discovered two additional SysJoker samples that are more complex than the Rust version. One of these samples has a multi-stage execution flow that includes a downloader, an installer, and a separate payload DLL. This is different from the other variants.

The malware utilizes dynamically configured infrastructure and connects to a OneDrive address. The C2 address is decrypted from a JSON file that is base64-encrypted and uses a hardcoded XOR key. The threat actor frequently uses cloud storage services.

The initial versions of the malware were written in C++, indicating that it underwent a thorough rebuild. It may serve as a foundation for future modifications and enhancements, as there is no easy way to translate that code to Rust.

SysJoker targets Windows, Linux, and macOS. It is important to keep Windows up to date with the latest security updates and patches. Users should also be cautious when running PowerShell commands and be aware of any suspicious activity in the registry. One of the Windows variants is igfxcuiservice.exe, which is a legitimate Intel Graphics Control Panel Service. However, the malware disguises itself as this service to avoid detection.

Overall, SysJoker is a sophisticated and evolving malware that can evade detection on multiple operating systems. It is important to have a comprehensive security solution that can detect and remove this malware.

sysjoker malware attacking windows, linux and mac users abusing onedrive', emphasizing the diverse impact across multiple operating systems. feature a centralized, menacing figure or symbol representing sysjoker, with arms or tentacles extending out to grasp icons of windows, linux, and mac systems, illustrating its reach and the vulnerability of these platforms. the onedrive logo should be subtly integrated, perhaps as the source or background from which the malware emerges, highlighting the abuse of the service for malicious purposes. the color palette should mix dark, danger-evoking tones with the recognizable blue of onedrive, creating a stark contrast that draws attention to the malware's infiltration methods and the broad scope of its attack.

Frequently Asked Questions

What methods does SysJoker malware use to infiltrate systems across different operating systems?

SysJoker malware is a multi-platform backdoor malware that targets Windows, Linux, and Mac operating systems. It uses different methods to infiltrate systems across different operating systems. For instance, it can be distributed through malicious email attachments, fake software updates, and drive-by downloads. The malware can also exploit vulnerabilities in operating systems and software to gain access to systems.

How does SysJoker abuse OneDrive for its attack campaign?

SysJoker malware abuses OneDrive, a cloud-based file hosting service provided by Microsoft, for its attack campaign. The malware uses OneDrive to store and distribute its malicious payloads. It creates a OneDrive account and uploads the malicious files to the account. The malware then uses a command-and-control server to download and execute the malicious files on the compromised systems.

What are the signs that a device has been compromised by SysJoker malware?

There are several signs that a device has been compromised by SysJoker malware. These include unexpected pop-ups, slow performance, changes in system settings, and the appearance of new files or programs. The malware can also disable security software and prevent users from accessing certain websites.

What steps should users take to protect their devices from SysJoker attacks?

Users can take several steps to protect their devices from SysJoker attacks. These include:
Keeping their operating systems and software up to date with the latest security patches.
Avoiding suspicious emails and attachments and not clicking on links from unknown sources.
Using strong and unique passwords for their accounts and enabling two-factor authentication.
Installing and regularly updating anti-virus and anti-malware software.
Backing up important files to an external drive or cloud-based storage service.

How can one identify and remove SysJoker malware from an infected system?

Users can identify and remove SysJoker malware from an infected system by using anti-virus and anti-malware software. These programs can detect and remove the malware from the system. Users can also manually remove the malware by deleting the malicious files and registry entries associated with the malware. However, manual removal can be difficult and risky, and it is recommended that users seek the help of a professional if they are unsure how to remove the malware.

What are the implications of cross-platform malware like SysJoker for cybersecurity?

Cross-platform malware like SysJoker poses a significant threat to cybersecurity. It can infect systems across different operating systems, making it difficult for security professionals to detect and remove the malware. Cross-platform malware also highlights the need for better security practices and the importance of keeping operating systems and software up to date with the latest security patches.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.