SysJoker Malware Attacking Windows, Linux and Mac Users Abusing OneDrive

by Esmeralda McKenzie
SysJoker Malware Attacking Windows, Linux and Mac Users Abusing OneDrive

SysJoker Malware Attacking Windows, Linux and Mac Users Abusing OneDrive

SysJoker Malware Attacking Windows, Linux and Mac Users Abusing OneDrive

SysJoker malware, a multi-platform backdoor with several variants for Windows, Linux, and Mac, has been noticed being feeble by a Hamas-affiliated APT to take care of Israel. This malware was once first known by Intezer in 2021 and was once currently feeble in focused attacks.

Checkpoint researchers disclosed the malware’s development, variations within the intricacy of its execution float, and most present swap to the Rust language and the present infrastructure it uses.

Furthermore, the possibility actor switched from the utilization of Google Force to OneDrive to address dynamic C2 (disclose and alter server) URLs.

This allows them to address an earnings over diverse recognition-based mostly products and providers. This habits is continuing at some stage within the assorted SysJoker variations.

Doc

Free Webinar

Stay API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Merchandise at Indusface point out how APIs will most definitely be hacked. The session will duvet: an exploit of OWASP API Top 10 vulnerability, a brute force memoir rob-over (ATO) attack on API, a DDoS attack on an API, how a WAAP might perchance perchance perchance bolster safety over an API gateway

Rust model of SysJoker

All over diagnosis, at particular aspects at some stage in its execution, the malware uses unpredictable sleep intervals, which the researchers reveal will most definitely be anti-diagnosis or anti-sandbox solutions.

SysJoker uses OneDrive to prevail in a URL to make the C2 server address.  Attackers can merely alter the C2 address by the utilization of OneDrive, which offers them an earnings over other recognition-based mostly products and providers.

“The malware collects files concerning the contaminated gadget, including the Windows model, username, MAC address, and diverse other records,” Checkpoint acknowledged in a disclose shared with Cyber Security Recordsdata.

Hiss Expect and Response
Hiss Expect and Response

It’s mighty to existing that in earlier SysJoker actions, the malware was once moreover able to downloading and working a long way-off files from an archive, along with executing operator-dictated commands. The Rust model lacks this capability.

Windows SysJoker Variants

Researchers win found two extra SysJoker samples that had beforehand no longer been made public. Perchance due to malware’s public discovery and examination, each and every of these samples win a slightly elevated level of complexity than the Rust model.

A multi-stage execution float comprising a downloader, an installer, and a separate payload DLL is point out in surely this type of samples, which differs from the others.

This campaign takes earnings of dynamically configured infrastructure. The malware first establishes a reference to a OneDrive address after which decrypts the JSON containing the C2 address.

The C2 address is base64-encrypted and uses a hardcoded XOR key. This possibility actor frequently uses cloud storage products and providers.

Metadata of OneDrive file containing the encrypted C2 server
Metadata of OneDrive file containing the encrypted C2 server

In step with researchers, the malware’s preliminary variations were written in C++. It indicates that the malware underwent an intensive rebuild and might perchance perchance more than seemingly wait on as a foundation for future modifications and enhancements, as there is now not any easy formula to translate that code to Rust.

Source credit : cybersecuritynews.com

Related Posts