A new cross-platform backdoor dubbed SysJoker has successfully evaded security solutions since mid-2021.
“In the Linux and macOS versions, it masquerades as a system update. In the Windows version, it masquerades as Intel drivers. The update names are somewhat generic: in the macOS version the file is moved and named “updateMacOs” and in the Linux version it is named “updateSystem” “, shared Avigayil Mechtinger, security researcher at Intezer, with Help Net Security.
SysJoker: A cross-platform backdoor
Intezer researchers spotted the backdoor during an active attack on an Apache web server at a leading educational institution. It had been downloaded via a reverse shell.
The behavior of SysJoker is similar for all three operating systems: once executed, it “falls asleep” for 90 to 120 seconds before starting to:
- Create directories and copy yourself
- Collect machine information (MAC address, user name, physical media serial number, IP address)
- Add entries to a registry key to achieve persistence
- Contact a command and control server
The various instructions that it can receive from the C2 server allow it to drop and execute another executable, as well as to execute specific commands.
The only difference between the Windows version and those for Linux and macOS is that the former contains a first stage dropper.
A stealthy threat
When researchers released their findings on Tuesday, January 12, the Linux and macOS versions of SysJoker were still not detected by the various security solutions on VirusTotal. In the meantime, about a dozen have been able to spot them.
“Based on the C2 domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was launched in the second half of 2021. During our analysis, the C2 changed three times, indicating that the attacker is active and is monitoring infected machines, ”the researchers shared.
They did not observe many malware samples in the wild, so they believe that the exploitation of the attacks is limited.
The immaturity of security tools for Linux and macOS systems and the obfuscation of C2 server domains are among the other possible reasons Mechtinger cites for the prolonged theft of the malware under the radar.
“The domain is dynamically fetched from a Google Drive link, so the address is easy to update, and any traffic to Google Drive will not normally be considered suspicious on a network,” he explained. .
It is not known if there were other targets / victims. Judging from the information currently available, the attacker appears to be focusing on academic institutions.
“One of the areas of C2 server typosquate the ‘Bookitlab’ software, which is commonly used by universities and scientific institutions for facility management and laboratory equipment planning software,” explained Mechtinger.
Researchers believe that the SysJoker attack is carried out by an advanced threat actor because the malware code (for all operating systems) is original, because it is rare to find new Linux malware in an attack in direct, and because they did not witness a second step or command sent by the attacker (which means the attack is specific).
Remediation
It is impossible to tell whether the malware is setting the stage for cyber espionage or the spread of ransomware. Yet none of these goals is good news for potential targets and could lead to very negative results.
The researchers have published Indicators of Compromise (IoC) and detection content to help defenders find infected machines on their networks, and offered remediation advice.
LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn’t remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don’t have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. “Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices”, said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos
