Posted on January 13, 2022 at 5:05 PM
Researchers have discovered a new malware that is distributed through malicious npm packages. The malware is spreading under the radar with Linux and Mac versions going fully undetected in VirusTotal, according to the report.
Although the macOS and Linux variants do not have a first-stage dropper such as DLL, they still carry out the same malicious activities on the infected device.
The Malware Remained Undetected For A Long Time
The malware has been detailed by researchers at Intezer, who named it SysJoker. The malware was uncovered when the threat actors were investigating an attack against Linux-based web server. During the investigation, the researchers found out that although SysJoker was already present on the servers, it wasn’t the malware behind the attack.
The malware is written in C++, with each variant designed specifically for a different operating system. However, they all remained undetected on VirusTotal, online scanning software that utilizes 57 different antivirus detection engines.
The SysJoker malware gathers details about the targeted device using Living Off The Land (LOtL) commands. The researchers also stated that the malware utilizes different text files to log the results of the commands.
Afterward, it deletes the text files immediately, but stores them in a JASON object before encoding and writing it to a file named “mcrosoft_Windows.dhh.”
Additionally, the threat actors deployed the malware to create persistence by including a new registry key while they interpose the ransom sleep times between all functions.
The Malware Can Be Used To Deliver Additional Malware
Based on the nature of the malware and the way it was set up to provide a backdoor to systems, the goal of the threat actors could be espionage. Also, the malware can be used as a tool for delivering additional malware to compromised systems.
“Based on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral movement,” the researchers noted, adding that their activities could result in ransomware attacks in the long run.
SysJoker Infected Devices By Masquerading As A System Update
The researchers also stated that the SysJoker malware was used as a system update to deceive users of macOS and Linux systems. However, it masquerades as Intel drivers when in the Windows version.
However, it is not clear how the threat actors delivered the fake driver updates, but the nature of the updates makes it genuine that can lure users to install them.
Researchers also stated that the names of updates like “updateSystem” and “updateMacOs” are generic by nature, which can raise suspicion.
The Threat Actors Are Closely Monitoring Campaigns
According to the analysis from the researchers, the threat actors started actively deploying the malware in the second half of 2021. The report also revealed that the hackers responsible for the deployment are closely monitoring campaigns.
Also, the attackers keep changing the command ad control domains to circumvent security checks. The researchers noted that the hackers have already changed their domain names more than three times after the malware was initially discovered in December. This means that the threat actors are actively monitoring the targets.
The Threat Actors Use Sophisticated Techniques
The way the malware targets multiple operating systems, the way the threat actors choose their targets, and the way they pay close attention to compromised victims shows that those behind the malware can be described as an “advanced threat actor.”
Generally, most threat actors spend money to buy programs and codes they use to launch attacks. However, this group has written their codes from scratch, which shows their high level of sophistication in the field. It shows that the threat actors know exactly what they are doing ad the types of victims they are targeting.
The only positive thing about the malware campaign is the fact that it has not spread widely. But that was because the attackers seem to be more interested in specific targets and can remain hidden on affected devices for a long period. If it wasn’t for the research on another attack, the malware would have remained hidden for a longer period.
Researchers have advised users how to avoid falling victim to the attack. Users have been advised to use memory scanners that can discover malicious payloads that have potentially been installed. Additionally, web administrators should watch out for potentially suspicious activities and investigate when they discover anything suspicious.