SecPro#34: SysJoker Malware: Identifying Attack Vectors And Securing Your Systems, Recognizing Vulnerable Components
In today’s issue:
- Identifying Attack Vectors: SysJoker Malware – Analyzing Data Stealing Multi-Platform RAT
- OWASP Top 10: A06:2021 – Vulnerable and Outdated Components
- SecPro Bytes: Your Security Binocular
- Secret Knowledge: Building Your Security Arsenal
Exploit Detection & Analysis
Identifying Attack Vectors: The SysJoker Malware – A Multi-Platform RAT that Wants to Steal Your Data
By Austin Miller
Identifying Attack Vectors: New year, new RAT. That’s what the researchers at Intezer are telling us about the multi-platform “backdoor malware” that they have dubbed SysJoker. It masquerades as a system update and acts as a Trojan.
Something that has got people’s attention is the multi-platform nature of this malware – no longer is the internet safe for macOS and Linux users!
What is the SysJoker malware?
Initially discovered by security researchers Intezer on January 11th, the SysJoker malware is a cross-platform malware that communicates with the Command and Control infrastructure (C2), potentially allowing malicious files to be installed on the infected system and data exfiltration.
Which operating system does it affect?
All major operating systems – Windows, macOS, and Linux – are all vulnerable to the SysJoker malware.
What is the attack vector?
Disguising itself as a system update, the SysJoker backdoor targets Windows, Linux, and macOS systems in the form of an infected npm package (i.e. the package manager for Javascript).
What is “backdoor malware”?
Properly understood, the SysJoker “backdoor” is really a remote access Trojan (or RAT) that creates a continuous connection between all infected machines and the attacker’s own device.
Identifying Attack Vectors: How does SysJoker work?
Because SysJoker works on all three operating systems, it has three separate approaches which are all fairly similar. Despite the differences between the OSs, each version of the malware relies on a hardcoded Google Drive link, a command and control infrastructure, and remote access malicious behaviour which is loaded into the C2. 
Despite the Linux and macOS versions of the malware being absent from VirusTotal, the Windows version shows that the files are stored as .ts files – that is TypeScript files. It is suspected that the Trojan gains access to all systems via a weakness in Javascript’s nmp.
Identifying Attack Vectors: Infection
After the initial infection occurs, the malware will do one of two things:
- For the Windows version, a DLL (a dynamic link library, acting as a first stage dropper) named style-loader.ts is loaded and makes contact with the C2 to find the zipped SysJoker file
- For Linux and macOS, the initial infection will make contact with the C2 via bash scripts (in place of PowerShell commands)
Security experts have noted that SysJoker has disguised itself as an update, meaning that it is more likely to trick the unassuming victim.
Contact with the C2 : Identifying Attack Vectors
When contact is established, a zipped file is downloaded from Github (which you can view here: https[://]github[.]url-mini[.]com/msg.zip) and executes.
For the Windows version, the following directory is created: C:\ProgramData\SystemData\
It also disguises itself as igfxCUIService.exe (a would-be Intel Graphics executable) and starts to build information about the system to run Living off the Land commands. The information gathered includes:
- MAC address
- User name
- Physical media serial number
- IP address
This data is gathered into different temporary text files, deleted immediately, and stored in a JSON object, making it incredibly difficult to spot and stop. At this point, the victim’s infected device is now accessible remotely and at risk of further malware such as a botnet or a ransomware attack.
Remote control established
With the connection created between the infected device and the C2, the infected device will make contact with a text file hosted on Google Drive. This is then decoded and serves as the instructions for the malware.
Protecting Your System
According to the report by Intezer, there were no records of the SysJoker malware on VirusTotal for the macOS and Linux versions as well as only six detections for Windows.
Disabling Nmp
Because the exploit can enter into a Windows device, a macOS device, or Linux based web server or personal computer via the Javascript package manager (nmp), check your systems for nmp using the following command: nmp -v
Unless you have explicitly gone out hunting for it, you should be fine and safe from the Sysjoker backdoor RAT. If you find nmp, you will need to be on the lookout for malicious software. Until a patch becomes available, disabling or uninstalling nmp is the best way to avoid an infected machine.
SysJoker: Is it worth the panic?
As of yet, there has been only one known successful infection of SysJoker – a leading educational institution running a Linux-based web server, according to Intezer – so this isn’t going to be a Log4Shell crisis, mark II. However, security professionals need to be on high alert to diagnose exploitation of nmp on their systems.
OWASP
OWASP Top 10: A06:2021 – Vulnerable and Outdated Components
By Austin Miller
Despite heading down the Top 10 from most serious to least, here is one that is giving the OWASP community more than a little bit to worry about. Coming in at number 6 on the OWASP Top 10 but number 2 in the community awards, Vulnerable and Outdated Components are one of the top concerns for the application security community right now.
What are vulnerable and outdated components?
Any time known vulnerabilities are included in web applications when known security patches are available, the developers have included vulnerable and outdated components. This is a broad topic, so let’s look at some examples:
- Possibly the most controversial leak in recent memory, the Panama Papers breach was caused due to known vulnerabilities in the now-defunct Mossack Fonseca’s WordPress website. 2.6TB of data was leaked due to vulnerabilities that went unpatched
- The Ubuntu Forums were targeted by an attack that led to a leak of 2 million usernames, IP addresses, and passwords. The forum had a known SQL injection vulnerability in the Forumrunner add-on
Synk also found that 9 organizations that suffered large-scale data breaches were caused by vulnerable and outdated components in forum software and 6 came directly from using an outdated version of the vBulletin software.
How do vulnerable components get into modern applications?
As organizations expect faster turnarounds on new web applications, relying on vulnerable and outdated components in common libraries is becoming a major issue for some. Just look at the Log4Shell crisis – a vulnerable component found in the Java library has made it into an astoundingly large number of applications, meaning that security teams have been working overtime scanning and updating systems since its discovery at the end of 2021.
How do I recognize vulnerable and outdated components?
The truth is that open source components make up a huge part of the tools that software developers use on a daily basis. The big question is how can I trust these tools? OWASP advises developers to conduct the following risk management best practices:
- Understanding the versions of all components included in the application is key to finding vulnerabilities
- All components and the various updates and upgrades must be thoroughly scanned & tested by developers and quality assurance officers
- Software developers should be supported with security bulletins related to components that are being used
- Vulnerabilities in components and libraries should be fixed, updated, upgraded, or patched regularly – for serious issues like Log4Shell, this can’t be done on a monthly or quarterly basis, so be prepared for urgent changes to vulnerabilities in your web application!
- Security experts should ensure that the configuration of all components is secure as well (to find out more see SecPro issue #33 or the OWASP A05: Security Misconfigurations page)
Best practices for treating security vulnerabilities
Developing your own processes for threat hunting and updating is key, but here are a few helpful tips from OWASP to get you started:
- Remove unused dependencies and unnecessary features – if it’s unused, it’s an unnecessary attack vector that the adversary will try to exploit
- Inventory client-side and server-side components so you understand what is in your application and what needs to be improved
- Avoid components from suspicious sources, turning only to signed packages from reputable vendors wherever possible
- Avoid libraries and components that are end-of-life (EOL) or no longer producing patches for any other reason
Security Risks and Security Patches – Understanding How To Manage Them
Vulnerable components are a major risk to many organizations and there isn’t an OWASP testing guide that will magically stop your Java applications containing a dodgy Log4j logging package or keep a constant eye on the Struts2 framework that you didn’t even realize was in the application. Scanning your systems is the first step to cleaning up, but developing a healthy web application security posture is the most important thing in the long term.
To find out more, read these excellent guides for vulnerability troubleshooting:
- OWASP Application Security Verification Standard: V1 Architecture, design and threat modelling
- OWASP Virtual Patching Best Practices
- Retire.js for detecting known vulnerable JavaScript libraries
SecPro Bytes: Your Security Binocular
Django Unchained: A Potentially Critical Vulnerability in the REST Framework
A new vulnerability has been found in the Django REST framework. It allows IP address spoofing and is included in products from Mozilla, Red Hat, and Heroku. Security researcher Hosein Vita found that tricking the REST server is possible with request headers.
By forwarding values through the X-Forwarded-For HTTP header, it is possible to send unlimited requests to the same client. If you’re the adversary, it is easy to launch a botnet or a DDOS attack.
New SolarWinds Log4j Serv-U Bug Allows Unsanitized Input By the Adversary
Logged as CVE-2021-35247, SolarWinds have already released a statement to make it clear that there has been “no downstream effect” because the LDAP servers ignore improper characters. But research from Akamai has shown that this flaw has already been exploited to infect systems and spread malware such as the Mirai botnet through the Log4Shell vulnerability in Zyxel devices.
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources on Identifying Attack Vectors, cheatsheets, hacks, and open-source CLI/web tools.
Study Board & Pentesting Labs
SOC Analyst Study Guide – Become a well-rounded SOC Analyst with this free guide by Jay Jay Davey. You can duplicate and retrofit into your own study board.
Collection of free labs to learn cloud pentesting.
New & Trending
Daily Swig – A rundown of 30 important cybersecurity conferences and events in 2022.
mpalmer/action-validator – The action-validator is a standalone tool designed to “lint” the YAML files used to define GitHub Actions and Workflows.
RhinoSecurityLabs/cloudgoat – It allows you to hone your cloud cybersecurity skills by creating and completing several “capture-the-flag” style scenarios.
ossf/allstar – Its goal is to be able to continuously monitor and detect any GitHub setting or repository file contents that may be risky or do not follow security best practices.
Cloud Security
insject – insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces.
initstring/cloud_enum – Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
awesome-azure-policy – A curated list of blogs, videos, tutorials, code, tools, scripts, and anything useful to help you learn Azure Policy.
