[HN Gopher] New SysJoker Backdoor Targets Windows, Linux, and macOS
___________________________________________________________________
New SysJoker Backdoor Targets Windows, Linux, and macOS
Author : mzs
Score : 82 points
Date : 2022-01-11 19:09 UTC (3 hours ago)
(HTM) web link (www.intezer.com)
(TXT) w3m dump (www.intezer.com)
| mro_name wrote:
| talking security and the webpage loading dozends of 3rd parties?
| ugh.
| rkagerer wrote:
| _SysJoker will create persistence by adding an entry to the
| registry run key
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run_
|
| I regularly run tools like Autoruns to disable unwanted new
| entries in places like this. These days it's more of a problem
| for me with regular software than it is malware.
|
| Unfortunately locking down the registry key can break legitimate
| installers.
|
| Does anyone know of a decent utility that monitors for changes in
| the background and notifies you via an unintrusive little icon in
| the system tray (no balloons) which you can click when convenient
| to review the offenders?
|
| Have also contemplated a process "whitelist" that allows you to
| whitelist regular programs (maybe it has a mode you can run for a
| time where it learns automatically) and let's you easily view
| stuff running that you don't recognize.
| [deleted]
| mrcsharp wrote:
| Windows 11 does notify the user when a program registers itself
| to run at startup.
| pluc wrote:
| How it took Windows 30 years to do this is beyond me
| softblush wrote:
| Depending on your exact use case checkout
|
| - MJ Registry Watcher
|
| - RegShot
|
| - Or monitor yourself with some WMI query
| nimbius wrote:
| christ spare me the 70mb CSS dog and pony show. give me the CVE
| or get off my lawn..
|
| - so far the only people i see flogging this are some company
| called Intezer.
|
| - MITRE related security sites all show a blurb on it saying NPM
| packages "might" be a vector.
|
| - NOWHERE is it listed the vector or method of attack employed
| for linux systems, but sure, add linux because SEO reasons.
|
| can anyone give a tech source for the linux side of the house?
| zokier wrote:
| Modern malware is so often quite boring. Like this one, it
| doesn't actually perform any interesting attacks on its own, it
| just uses bog-standard autorun for persistence and generic names
| to obfuscate its presence. Nothing particularly sophisticated or
| technically impressive imho.
| ancode wrote:
| Why blow the interesting stuff on generic targets
| ASalazarMX wrote:
| This is why we can't have nice malware.
| yepthatsreality wrote:
| > SysJoker masquerades as a system update and generates its C2 by
| decoding a string retrieved from a text file hosted on Google
| Drive. During our analysis the C2 changed three times, indicating
| the attacker is active and monitoring for infected machines.
| uniqueuid wrote:
| Is that a common technique?
|
| Are there other methods in use for masquerading, or do people
| simply hard-code a group of C2 IPs or DNS entries?
| moritonal wrote:
| There are infinite ways. One for example is to generate a dns
| address from the uct time and try connect to that. It's easy
| to simply buy the correct dns name and send an order out to
| the botnet. Or to hide the commands in a DNS request itself,
| or lookup a gist, or a tweet ect.
| thatfunkymunki wrote:
| not sure if this specific TTP is common, but generally there
| are a lot of ways that malware authors perform first c2
| discovery and then actual c2. attackers can use DNS itself
| for both of these aspects of C2. Even very old reports of
| since-long-gone attackers like APT1
| https://www.mandiant.com/media/9941/download indicate use of
| covert c2 over otherwise benign web applications like google
| calendar.
| [deleted]
| blacksmith_tb wrote:
| That seems like a fragile command and control choice, couldn't
| Google just shut down the account that owns the gDoc?
| ASalazarMX wrote:
| The author likely has a pool of fake accounts. Besides, once
| the C&C is configured the Google Drive link becomes obsolete.
| Animats wrote:
| _" For Linux machines, use Intezer Protect"_
|
| How do we know that isn't an attack?
| metadat wrote:
| Right, collectively we can't really trust those Fly-By-Night
| startups with root on our machines. Probably the folks in this
| case are currently benign, but I don't know them so how can I
| really know? And what about the future as startup finances and
| resources for the Community Edition dwindle?
|
| In past weeks wasn't it revealed that even major AV vendors
| have been begun auto-installing shady crypto miners on end-user
| machines?
|
| Running all mounts as RO isn't feasible in every case. Maybe
| docker and VMs can help insulate and protect to a degree. Yet
| even still, once an attacker makes it into your private network
| it's pretty likely that the state converges to Game Over.
|
| This stonks to high heaven.
|
| _EDIT_ : Here is the Norton anti virus crypto miner story
| https://news.ycombinator.com/item?id=29795910
| Animats wrote:
| Right. We need to run anti-virus programs in jails with read-
| only file system access. That should be a standard OS
| feature. They should output a list of files to be examined or
| deleted or jailed, but not actually do anything about them.
| That should be the job of a separate, very dumb, open source
| program.
| metadat wrote:
| That would be nice, but would they still need to deflect or
| at least detect infections-in-progress?
|
| This seems impossible to achieve if you are locked up in
| jail.
| Animats wrote:
| Examining incoming stuff also needs to be split between
| the examiner, with the power only to report, and the
| trusted input and output parts, which should be dumb.
|
| The whole concept of anti-virus software being trusted is
| just wrong, both in theory and practice.
| jesprenj wrote:
| > We need to run ... That should be a standard OS feature
|
| You don't mean this should be included in _every_ operating
| system, right?
|
| I'd say the overhead would be too high for that little
| protection benefit, at least for a portion of computers.
| Animats wrote:
| It's not a big overhead item. You should be able to
| configure Linux for that, via SELinux. Read
| anything,communicate with nothing, write only to one
| file.
___________________________________________________________________
(page generated 2022-01-11 23:00 UTC)