Cross-platform SysJoker backdoor attacks Windows, macOS and Linux

ہیلگا اسمتھجنوری 14, 2022آخری تازہ کاری: جنوری 15, 2022
187 1 منٹ پڑھیں

Intezer experts have discovered a new cross-platform SysJoker backdoor that is used against devices on Windows, Linux and macOS as part of a cyberspy campaign.

According to researchers, the malware has been active since at least the second half of 2021. The malware was first discovered in December 2021 during an attack on a Linux-based web server owned by an unnamed educational institution.

The malware is written in C++ and each variant is adapted for a specific operating system. البتہ, all variations are not detected by the security solutions presented on VirusTotal.

SysJoker masquerades as a system update and generates its C&C server by decoding a string received from a text file hosted on گوگل Drive. Judging by the victimology and behavior of the malware, we believe that SysJoker is used in targeted attacks.analysts say.

Cross-platform SysJoker backdoor

On Windows, SysJoker uses a first-level dropper in DLL format, which then executes PowerShell commands and does the following: Gets the SysJoker ZIP file from the GitHub repository, extracts it to C:\ProgramData\RecoverySystem\, and executes the payload. The malware is idle for about two minutes before it creates a new directory and copies itself as Intel Graphics Common User Interface Service (igfxCUIService.exe).

Afterwards, SysJoker will collect information about the car using Living off the Land (LOtL) commands. SysJoker uses various temporary text files to store results. These text files are immediately deleted, saved as a JSON object, and then encoded and written to the microsoft_Windows.dll file.the report reads.

After collecting the data, the malware will gain a foothold in the system by adding a new registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run). The next step is the aforementioned call to the management server, which uses a hardcoded link to Google Drive.

When the information collected during the first stages of infection is sent to the C&C server, it responds with a unique token, which later serves as the identifier of the infected machine. بھی, the control server can order the backdoor to install additional malware, execute specific commands on the infected device, or delete itself. It is noted that the last two functions have not yet been fully implemented.

The researchers write that the Linux and macOS versions do not have a DLL dropper, but generally perform the same malicious operations on the infected device.

Cross-platform SysJoker backdoor

So far, the malware is not associated with any specific hack group, لیکن Intezer is confident that SysJoker is the work of a serious team, the ultimate goal of which is to collect data and move sideways in the victim’s network, which can eventually lead to an extortion attack at the next stage.

You might be interested to know what دی Capoae malware installs a backdoor plugin on WordPress sites, اور یہ کہ New XLoader malware steals credentials from macOS and Windows.

ٹیگز
ہیلگا اسمتھجنوری 14, 2022آخری تازہ کاری: جنوری 15, 2022
187 1 منٹ پڑھیں

ہیلگا اسمتھ

مجھے ہمیشہ کمپیوٹر سائنسز میں دلچسپی تھی۔, خاص طور پر ڈیٹا سیکیورٹی اور تھیم, جسے آج کل کہا جاتا ہے۔ "ڈیٹا سائنس", میری ابتدائی نوعمری سے. ایڈیٹر ان چیف کے طور پر وائرس ہٹانے والی ٹیم میں آنے سے پہلے, میں نے کئی کمپنیوں میں سائبر سیکیورٹی کے ماہر کے طور پر کام کیا۔, ایمیزون کے ٹھیکیداروں میں سے ایک سمیت. ایک اور تجربہ: مجھے آرڈن اور ریڈنگ یونیورسٹیوں میں پڑھانا ملا ہے۔.

جواب چھوڑیں

یہ سائٹ سپیم کو کم کرنے کے لیے Akismet کا استعمال کرتی ہے۔. جانیں کہ آپ کے تبصرے کے ڈیٹا پر کیسے کارروائی کی جاتی ہے۔.

واپس اوپر کے بٹن پر