This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

New Threat Content Alert: SysJoker Backdoor Application Rules

Will_G
Moderator Moderator
Moderator
‎2022-02-10 05:07 PM

New Threat Content Alert: SysJoker

 

Threat Actor/Adversary: Unknown

Threat Name: SysJoker

Threat Type: Backdoor

NetWitness Content Type(s): Application Rules

 

What’s New:

 

Two (2) threat-centric application rules:

  1. Sysjoker backdoor detected
  2. Sysjoker persistence

Background:

 

The NetWitness Threat Research Intelligence Content team released two (2) application rules related to Sysjoker that can be found in the ‘Community’ section of NetWitness Live! The team will continue to actively collect and appraise new data related to the threat resulting in additional threat-centric content when appropriate.  For questions regarding the ‘Community’ section of the NetWitness Live! Environment please content either mitch.hanks@netwitness.com or william.gragido@netwitness.com.

Sysjoker is a backdoor that targets Microsoft Windows, Apple MacOS, and Linux based operating systems. Synonymous with Trojans and often observed in blended threats, backdoors enable threat actors to circumvent existing authentication controls resulting in remote access and unfettered access to a given host, system, or environment and any associated resources.  

 

The first reports of observed activity of Sysjoker have been credit and attributed researchers at Israeli cybersecurity firm Intezer who first discovered it during an active/real-time attack on a Linux-based web server located at an educational institution. The Intezer team verified that Mach-O and Windows PE versions in VirusTotal (at some point in 2H 2021), and no submissions of variants associated with either MacOS or Linux.

 

Sysjoker possesses the ability to masquerade as a system update. It generates its Command and Control (C2) through decoding a string retrieved from a text file hosted on Google Drive (a long time, and ongoing problem associated with cloud providers). It should be noted that at the time of their initial write up in January 2022[i], that the active C2 had changed no fewer than three (3) times. The takeaway being that the threat actor in question – theorized by some groups as being tied to a State actor which result in Sysjoker being the classified as an advanced persistent threat[ii],  was actively monitoring for infected machines across several different victim profiles and targets.

 

[i] https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

[ii] https://www.scmagazine.com/news/cloud-security/new-sysjoker-backdoor-targets-windows-mac-and-linux-machines

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.