Multi-step, evasion-focused attacks are the tactics of SysJoker, a new malware discovered in mid-December that is becoming a hot topic for security experts. That’s because the plague uses obfuscation techniques to stay hidden from security systems, while downloading malicious solutions developed specifically for each platform from servers controlled by criminals.
Despite the name mentioning the Joker, there is nothing flashy about the solution, developed in C++ and not yet detected by most security software on the market. That’s what makes the discovery, made by Intezer analysts, even more important, mainly because of its focus on erasing its own tracks and creating registry entries that allow its persistence on contaminated machines.
Solutions like Google Drive and GitHub are also used to deliver different phases of the attack. On Windows, the plague goes dormant for the first few minutes after infection, before creating a new directory and disguising itself as an Intel services interface; information about the compromised device is shared with a server under the criminals’ control, which delivers the malware used in later steps.
Want to stay on top of the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
On the platforms are text documents that lead to downloads of the malicious solutions, with the researchers detecting constant changes in order to avoid detection and blocking by the networks. Unique tokens are also assigned to each infected machine, so the bad guys can carry out targeted attacks if they hit large corporate servers or devices of greatest interest.
Among the actions seen by Intezer is the download of new pests and the execution of commands remotely, allowing to open more doors of contamination or obtain additional information. SysJoker would also be able to erase itself from the system if ordered, further increasing stealth after an attack — in the Linux and macOS versions, it changes the initial delivery, without the use of DLL files, with the same later behavior.
According to security experts, this is an attack that is still expanding, with the first incidents appearing to be focused on Linux servers. On the other hand, there is no information about the baits used to enter the systems or specific focuses of the gang, as well as uses for the detonation of ransomware attacks and others, since we are talking about a campaign still in its early stages.
how to protect yourself
While many security software are not yet capable of detecting contamination, uploading SysJoker samples to the VirusTotal repository is the first step towards this. In addition, Intezer released compromise indicators for each operating system, which were published by the Bleeping Computer website, as well as some of the domains used by command and control servers, so that users and administrators can scour their systems for infection.
Other measures involve paying attention to unknown or irregular processes on the system and using appropriate security solutions, including firewalls and connected software, which must always be updated to the latest versions. Finally, common hygiene measures also help, such as avoiding clicking on links or downloading solutions that come via email or direct message.
