Identifying Attack Vectors
I

SecPro#34: SysJoker Malware: Identifying Attack Vectors And Securing Your Systems, Recognizing Vulnerable Components

 In today’s issue:

  •  Identifying Attack Vectors: SysJoker Malware – Analyzing Data Stealing Multi-Platform RAT 
  •  OWASP Top 10: A06:2021 – Vulnerable and Outdated Components 
  •  SecPro Bytes: Your Security Binocular
  •  Secret Knowledge: Building Your Security Arsenal

Exploit Detection & Analysis

Identifying Attack Vectors: The SysJoker Malware – A Multi-Platform RAT that Wants to Steal Your Data  

By Austin Miller

Identifying Attack Vectors: New year, new RAT. That’s what the researchers at Intezer are telling us about the multi-platform “backdoor malware” that they have dubbed SysJoker. It masquerades as a system update and acts as a Trojan. 

Something that has got people’s attention is the multi-platform nature of this malware – no longer is the internet safe for macOS and Linux users!  

What is the SysJoker malware? 

Initially discovered by security researchers Intezer on January 11th, the SysJoker malware is a cross-platform malware that communicates with the Command and Control infrastructure (C2), potentially allowing malicious files to be installed on the infected system and data exfiltration.  

Which operating system does it affect? 

All major operating systems – Windows, macOS, and Linux – are all vulnerable to the SysJoker malware. 

What is the attack vector? 

Disguising itself as a system update, the SysJoker backdoor targets Windows, Linux, and macOS systems in the form of an infected npm package (i.e. the package manager for Javascript).  

What is “backdoor malware”? 

Properly understood, the SysJoker “backdoor” is really a remote access Trojan (or RAT) that creates a continuous connection between all infected machines and the attacker’s own device.  

Identifying Attack Vectors: How does SysJoker work? 

Because SysJoker works on all three operating systems, it has three separate approaches which are all fairly similar. Despite the differences between the OSs, each version of the malware relies on a hardcoded Google Drive link, a command and control infrastructure, and remote access malicious behaviour which is loaded into the C2. SysJoker Google Drive link

Despite the Linux and macOS versions of the malware being absent from VirusTotal, the Windows version shows that the files are stored as .ts files – that is TypeScript files. It is suspected that the Trojan gains access to all systems via a weakness in Javascript’s nmp.  

Identifying Attack Vectors: Infection 

After the initial infection occurs, the malware will do one of two things: 

  • For the Windows version, a DLL (a dynamic link library, acting as a first stage dropper) named style-loader.ts is loaded and makes contact with the C2 to find the zipped SysJoker file 
  • For Linux and macOS, the initial infection will make contact with the C2 via bash scripts (in place of PowerShell commands)

Security experts have noted that SysJoker has disguised itself as an update, meaning that it is more likely to trick the unassuming victim.  

Contact with the C2 : Identifying Attack Vectors

When contact is established, a zipped file is downloaded from Github (which you can view here: https[://]github[.]url-mini[.]com/msg.zip) and executes. 

For the Windows version, the following directory is created: C:\ProgramData\SystemData\ 

It also disguises itself as igfxCUIService.exe (a would-be Intel Graphics executable) and starts to build information about the system to run Living off the Land commands. The information gathered includes: 

  • MAC address 
  • User name 
  • Physical media serial number 
  • IP address 

This data is gathered into different temporary text files, deleted immediately, and stored in a JSON object, making it incredibly difficult to spot and stop. At this point, the victim’s infected device is now accessible remotely and at risk of further malware such as a botnet or a ransomware attack.  

Remote control established 

With the connection created between the infected device and the C2, the infected device will make contact with a text file hosted on Google Drive. This is then decoded and serves as the instructions for the malware.  

Protecting Your System 

According to the report by Intezer, there were no records of the SysJoker malware on VirusTotal for the macOS and Linux versions as well as only six detections for Windows.  

Disabling Nmp 

Because the exploit can enter into a Windows device, a macOS device, or Linux based web server or personal computer via the Javascript package manager (nmp), check your systems for nmp using the following command:  nmp -v 

Unless you have explicitly gone out hunting for it, you should be fine and safe from the Sysjoker backdoor RAT. If you find nmp, you will need to be on the lookout for malicious software. Until a patch becomes available, disabling or uninstalling nmp is the best way to avoid an infected machine.  

SysJoker: Is it worth the panic? 

As of yet, there has been only one known successful infection of SysJoker – a leading educational institution running a Linux-based web server, according to Intezer – so this isn’t going to be a Log4Shell crisis, mark II. However, security professionals need to be on high alert to diagnose exploitation of nmp on their systems.

OWASP

OWASP Top 10: A06:2021 – Vulnerable and Outdated Components

By Austin Miller

Despite heading down the Top 10 from most serious to least, here is one that is giving the OWASP community more than a little bit to worry about. Coming in at number 6 on the OWASP Top 10 but number 2 in the community awards, Vulnerable and Outdated Components are one of the top concerns for the application security community right now.  

What are vulnerable and outdated components? 

Any time known vulnerabilities are included in web applications when known security patches are available, the developers have included vulnerable and outdated components. This is a broad topic, so let’s look at some examples: 

  • Possibly the most controversial leak in recent memory, the Panama Papers breach was caused due to known vulnerabilities in the now-defunct Mossack Fonseca’s WordPress website. 2.6TB of data was leaked due to vulnerabilities that went unpatched
  • The Ubuntu Forums were targeted by an attack that led to a leak of 2 million usernames, IP addresses, and passwords. The forum had a known SQL injection vulnerability in the Forumrunner add-on 

Synk also found that 9 organizations that suffered large-scale data breaches were caused by vulnerable and outdated components in forum software and 6 came directly from using an outdated version of the vBulletin software.  

How do vulnerable components get into modern applications? 

As organizations expect faster turnarounds on new web applications, relying on vulnerable and outdated components in common libraries is becoming a major issue for some. Just look at the Log4Shell crisis – a vulnerable component found in the Java library has made it into an astoundingly large number of applications, meaning that security teams have been working overtime scanning and updating systems since its discovery at the end of 2021.  

How do I recognize vulnerable and outdated components? 

The truth is that open source components make up a huge part of the tools that software developers use on a daily basis. The big question is how can I trust these tools? OWASP advises developers to conduct the following risk management best practices: 

  • Understanding the versions of all components included in the application is key to finding vulnerabilities
  • All components and the various updates and upgrades must be thoroughly scanned & tested by developers and quality assurance officers
  • Software developers should be supported with security bulletins related to components that are being used
  • Vulnerabilities in components and libraries should be fixed, updated, upgraded, or patched regularly – for serious issues like Log4Shell, this can’t be done on a monthly or quarterly basis, so be prepared for urgent changes to vulnerabilities in your web application! 
  • Security experts should ensure that the configuration of all components is secure as well (to find out more see SecPro issue #33 or the OWASP A05: Security Misconfigurations page) 

Best practices for treating security vulnerabilities 

Developing your own processes for threat hunting and updating is key, but here are a few helpful tips from OWASP to get you started:

  • Remove unused dependencies and unnecessary features – if it’s unused, it’s an unnecessary attack vector that the adversary will try to exploit
  • Inventory client-side and server-side components so you understand what is in your application and what needs to be improved
  • Avoid components from suspicious sources, turning only to signed packages from reputable vendors wherever possible
  • Avoid libraries and components that are end-of-life (EOL) or no longer producing patches for any other reason

Security Risks and Security Patches – Understanding How To Manage Them 

Vulnerable components are a major risk to many organizations and there isn’t an OWASP testing guide that will magically stop your Java applications containing a dodgy Log4j logging package or keep a constant eye on the Struts2 framework that you didn’t even realize was in the application. Scanning your systems is the first step to cleaning up, but developing a healthy web application security posture is the most important thing in the long term. 

To find out more, read these excellent guides for vulnerability troubleshooting: 

SecPro Bytes: Your Security Binocular 

Django Unchained: A Potentially Critical Vulnerability in the REST Framework 

A new vulnerability has been found in the Django REST framework. It allows IP address spoofing and is included in products from MozillaRed Hat, and Heroku. Security researcher Hosein Vita found that tricking the REST server is possible with request headers.

By forwarding values through the X-Forwarded-For HTTP header, it is possible to send unlimited requests to the same client. If you’re the adversary, it is easy to launch a botnet or a DDOS attack.  

New SolarWinds Log4j Serv-U Bug Allows Unsanitized Input By the Adversary 

Logged as CVE-2021-35247, SolarWinds have already released a statement to make it clear that there has been “no downstream effect” because the LDAP servers ignore improper characters. But research from Akamai has shown that this flaw has already been exploited to infect systems and spread malware such as the Mirai botnet through the Log4Shell vulnerability in Zyxel devices

 Secret Knowledge: Building Your Security Arsenal

Discover useful security resources on Identifying Attack Vectors, cheatsheets, hacks, and open-source CLI/web tools.

Study Board & Pentesting Labs 
 SOC Analyst Study Guide – Become a well-rounded SOC Analyst with this free guide by Jay Jay Davey. You can duplicate and retrofit into your own study board.
 Collection of free labs to learn cloud pentesting.

Daily Swig – A rundown of 30 important cybersecurity conferences and events in 2022.
mpalmer/action-validator – The action-validator is a standalone tool designed to “lint” the YAML files used to define GitHub Actions and Workflows.  
RhinoSecurityLabs/cloudgoat – It allows you to hone your cloud cybersecurity skills by creating and completing several “capture-the-flag” style scenarios. 
ossf/allstar –  Its goal is to be able to continuously monitor and detect any GitHub setting or repository file contents that may be risky or do not follow security best practices. 

Cloud Security 

insject – insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. 
initstring/cloud_enum – Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. 
awesome-azure-policy – A curated list of blogs, videos, tutorials, code, tools, scripts, and anything useful to help you learn Azure Policy.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.