Detecting Sysjoker backdoor malware with Wazuh
Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and infected software. Sysjoker backdoor malware poses a big threat because it can be chained with sophisticated attacks. These attacks can be ransomware, installing crypto miners or spyware, adding infected machines to a botnet, and data exfiltration. Unfortunately, because Sysjoker is relatively new, it can still bypass security measures. At the time of writing, the Linux and macOS variants are completely undetected by vendors on Virustotal.
Behavioral analysis
Once Sysjoker infects a machine, it will start to perform the following actions below:
- Create folders and files.
- Establish persistence.
- Perform system discovery actions.
- Lie dormant while waiting for C2 instructions.
On all platforms, after Sysjoker has been executed, it will create certain directories and masquerade itself as a system update. On Windows, it masquerades as a well-known Intel Common User Interface process, igfxCUIService.exe.
"company": "Intel Corporation", "originalFileName": "IGFXCUISERVICE.EXE", "image": "C:\\ProgramData\\SystemData\\igfxCUIService.exe", "product": "Intel(R) Common User Interface", "imageLoaded": "C:\\ProgramData\\SystemData\\igfxCUIService.exe", "description": "igfxCUIService Module",
Sysjoker will try to establish persistence by various means depending on the operating system:
- Linux/Unix based endpoints: It runs a cron job and executes the nohup command.
@reboot (/.Library/SystemServices/updateSystem) nohup ‘/.Library/SystemServices/updateSystem’
- Windows based endpoints: It adds itself to the Windows run registry.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Name: igfxCUIService Type: REG_SZ Data: “C:\ProgramData\SystemData\igfxCUIService.exe”
- macOS based endpoints: It creates a file in the LaunchAgents folder.
/Library/LaunchAgents/com.apple.update.plist.
Sysjoker will then execute Living off the Land (LOtL) commands to gather network and system information about the infected machine. It uses temporary text files on Windows endpoints to log the results of the Living off the Land (LOtL) and C2 commands. After all these actions, the infected endpoint is then ready to receive commands from the C2 server.
Indicators of Compromise
Malicious files
These are some malicious files found in the wild that have been indexed by malware databases (e.g. vx-underground). The file hashes(SHA2-256) are used to name the files.
Linux
bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed d028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3
Windows
1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c 61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc 649a97980ed3eeed9a9b61eafd1d60c8d2d15c3be1d6acd3723af87fbda2e8fd
macOS
1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac fe99db3268e058e1204aff679e0726dc77fd45d06757a5fda9eafc6a28cfb8df d0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0 e83f6fdf04928cf1be0cec6c4c5a583561a06b5c18b559dc2298ae174709bf68
C2 domains
These are the domains that the malware sends DNS requests and receives C2 commands from:
https[://]bookitlab[.]tech https[://]winaudio-tools[.]com https[://]graphic-updater[.]com https[://]github[.]url-mini[.]com https[://]office360-update[.]com https[://]drive[.]google[.]com/uc?export=download&id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn https[://]drive[.]google[.]com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
Files and directories created upon infection
These are the files and directories that are created by Sysjoker after infecting an endpoint.
Linux
/.Library/ /.Library/SystemServices/updateSystem /.Library/SystemNetwork /.Library/log.txt
Windows
C:\ProgramData\SystemData C:\ProgramData\SystemData\igfxCUIService.exe C:\ProgramData\SystemData\microsoft_Windows.dll Several temporary files in the C:\ProgramData\SystemData directory
macOS
/Library/MacOsServices /Library/MacOsServices/updateMacOs /Library/SystemNetwork /Library/LaunchAgents/com.apple.update.plist
Detection with Wazuh
Wazuh provides detection rules that will generate alerts when Sysjoker malware is detected on an endpoint.
Requirements
- An installed Wazuh manager.
- An installed and enrolled Wazuh agent on the endpoints to be monitored.
Linux/Unix endpoint detection
For Sysjoker detection on Linux/Unix Endpoints, any of the following methods can be used:
We simulated Sysjoker infection on an Ubuntu 21 endpoint.
Security Configuration Assessment
Wazuh SCA can be used to perform scans that test system hardening and configuration policies. We used an SCA policy to scan for the directory that is usually created after Sysjoker is executed. On Linux/Unix systems, Sysjoker creates a .Library folder similar to a legitimate folder in macOS.
On the Wazuh manager
- First, we create a new policy file at
/var/ossec/etc/shared/default/sysjoker_check.yml:
policy:
id: "sysjoker_check"
file: "sysjoker_check.yml"
name: "Sysjoker backdoor malware check"
description: "Checking Sysjoker malware infection for Unix/Linux based systems."
requirements:
title: "Checking Sysjoker on Unix/Linux based systems."
description: "Check that system is Unix/Linux based."
condition: any
rules:
- 'f:/etc/passwd'
checks:
- id: 10000
title: "Check for Sysjoker malware artifacts in root and \"/home/*/\" directory"
description: "Check for sysjoker artifacts on Unix/Linux based systems."
condition: none
rules:
- 'c:find / -type d -name ".Library" -> r:/\.Library$'
- This SCA policy will get shared with a group of agents, which are the ones that will run the checks. In our case, we are sharing the policy with the default group, hence the default directory.
Please be aware that, depending on the monitored system, the find command can be CPU intensive.
- Once the SCA policy file is created, the owner and group are modified so it can be used by Wazuh:
chown ossec:ossec /var/ossec/etc/shared/default/sysjoker_check.yml
From Wazuh version 4.3 and above, owner and group will be wazuh:wazuh
- Next, we add the SCA block to
/var/ossec/etc/shared/default/agent.confto enable the new policy on the Wazuh agents that belong to the default group:
<agent_config>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>24h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>/var/ossec/etc/shared/sysjoker_check.yml</policy>
</policies>
</sca>
</agent_config>
On the Linux/Unix endpoint
Below we edited a setting on the Wazuh agent /var/ossec/etc/local_internal_options.conf file. This is done directly on the endpoints that are being monitored, as there is no way to push this setting from the Wazuh manager. The purpose of this modification is to enable the execution of commands in the SCA policies that are received from the Wazuh manager. Remote commands are disabled by default for security reasons and have to be explicitly enabled by users. This modification is not necessary when the SCA policies are local to the agent:
echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
Restart the Wazuh agent to apply the changes:
systemctl restart wazuh-agent
We can see SCA results for an endpoint infected with Sysjoker:
Auditd
Auditd is a framework that can be used to audit events native to Linux/Unix systems. Auditd can be used to monitor the directories and files that Sysjoker will create. We also used Auditd to detect the malicious cronjob that was executed by Sysjoker.
On the Linux/Unix endpoint
- Install Auditd if it is not already installed on the endpoint:
sudo apt -y install auditd
- We create Auditd rules to detect if Sysjoker creates a
.Libraryfolder similar to a legitimate folder in macOS and a cronjob. We add the rules to/etc/audit/rules.d/audit.rules. Replace<USER>with the user directories to be monitored:
echo "-w /.Library -p wa -k possible_sysjoker_backdoor" >> /etc/audit/rules.d/audit.rules echo "-w /home/<USER>/.Library -p wa -k possible_sysjoker_backdoor" >> /etc/audit/rules.d/audit.rules echo "-a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -F key=cronjob_executed" >> /etc/audit/rules.d/audit.rules
- We reload the rules to apply the changes:
auditctl -R /etc/audit/rules.d/audit.rules auditctl -l
By default, the Wazuh agent collects Auditd logs from this location /var/log/audit/audit.log.
On the Wazuh manager
- We create the rule in
/var/ossec/etc/rules/local_rules.xmlto detect Sysjoker behavior on Linux/Unix endpoints:
<group name="sysjoker-linux-auditd,">
<rule id="200600" level="12">
<if_sid>80700</if_sid>
<field name="audit.file.name" type="pcre2">(?i)\/.Library$</field>
<description>Suspicious directory created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
</rule>
<rule id="200601" level="12">
<if_sid>80700</if_sid>
<field name="audit.file.name" type="pcre2">(?i)\/.Library/SystemNetwork$</field>
<description>Suspicious directory created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
</rule>
<rule id="200602" level="12">
<if_sid>80700</if_sid>
<field name="audit.file.name" type="pcre2">(?i)\/.Library/SystemServices$</field>
<description>Suspicious directory created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
</rule>
<rule id="200603" level="1">
<if_sid>80700</if_sid>
<field name="audit.file.name" type="pcre2">(?i)\/.Library/log.txt</field>
<description>Suspicious log file created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
</rule>
<rule id="200604" level="12" frequency="6" timeframe="60">
<if_matched_sid>200603</if_matched_sid>
<field name="audit.file.name" type="pcre2">(?i)\/.Library/log.txt</field>
<description>Suspicious log file created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
</rule>
<rule id="200605" level="12">
<if_sid>80700</if_sid>
<if_matched_sid>200600</if_matched_sid>
<field name="audit.file.name" type="pcre2">(?i)\/bin/crontab</field>
<description>Malicious cronjob executed - Possible Sysjoker malware infection.</description>
</rule>
</group>
- Restart Wazuh manager for changes to apply:
systemctl restart wazuh-manager
Upon infection of an endpoint by Sysjoker, alerts will be created by the rules we added to the Wazuh manager. Below are examples of such alerts:
SysmonForLinux
On the Linux/Unix endpoint
We install SysmonForLinux to enrich the event logs generated on the Linux endpoints. This will produce enhanced monitoring of events such as process creations, network connections, and changes to the file system.
- Install SysmonForLinux. SysmonForLinux can be installed in various ways depending on the Linux distribution and OS version. Installation steps can be found here.
- After installation is complete, download the SysmonForLinux configuration file.
- Use the SysmonForLinux configuration file:
sysmon -accepteulasysmon -i sysmonforlinux-config.xml
- Enable sysmon to run at startup:
systemctl enable sysmon
On the Wazuh manager
Decoders
- After configuring SysmonForLinux, we download a list of decoders from here and copy the content to the
/var/ossec/etc/decoders/local_decoder.xmlfile.
Rules
- We then download these base rules detecting generic sysmon events and add them to the
/var/ossec/etc/rules/local_rules.xmlfile. Since these are base rules, the rule levels are set to 1, to generate alerts that will not be shown on the dashboard. - We create rules to detect Sysjoker behavior on Linux endpoints. We also add these rules to the
/var/ossec/etc/rules/local_rules.xmlfile:
<group name="sysjoker-linux-sysmon,">
<rule id="200250" level="12">
<if_sid>200151</if_sid>
<field name="eventdata.commandLine" type="pcre2">^grep -e @reboot \(/.*/.Library/.*\)|^grep -e @reboot \(/.Library/.*\)$</field>
<description>Malicious cronjob: "$(eventdata.commandLine)" created - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1053.003</id>
<id>T1584.005</id>
</mitre>
</rule>
<rule id="200251" level="12">
<if_sid>200151</if_sid>
<field name="eventdata.commandLine" type="pcre2">^(sh -c cp -rf './.* '/.*/.Library/.*|cp -rf ./.*/.Library/.*|sh -c cp -rf './.* '/.Library/.*|cp -rf ./.Library/.*)</field>
<description>Malicious file copied and renamed - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1036.004</id>
<id>T1584.005</id>
</mitre>
</rule>
<rule id="200252" level="12">
<if_sid>200151</if_sid>
<field name="eventdata.commandLine" type="pcre2">nohup /.*/.Library/.*|nohup /.Library/.*</field>
<description>Malicious Nohup(no hang up) command executed: $(eventdata.commandLine) - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1584.005</id>
</mitre>
</rule>
<rule id="200253" level="12">
<if_sid>200152</if_sid>
<field name="eventdata.image" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
<description>Network connection by malicious file: "$(eventdata.image)" - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1043</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event3</group>
</rule>
<rule id="200254" level="12">
<if_sid>200155</if_sid>
<field name="eventdata.targetFilename" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
<description>Malicious file: "$(eventdata.targetFilename)" created - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1584.005</id>
<id>T1036.004</id>
</mitre>
<group>sysmon_event11</group>
</rule>
<rule id="200255" level="12">
<if_sid>200151</if_sid>
<field name="eventdata.commandLine" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
<description>Malicious file: "$(eventdata.commandLine)" executed - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1036.004</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event11</group>
</rule>
<rule id="200256" level="12">
<if_sid>200151</if_sid>
<field name="eventdata.commandLine" type="pcre2">sh -c whoami|sh -c id -u</field>
<field name="eventdata.parentImage" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
<description>Living off the Land (LOtL) commands: "$(eventdata.commandLine)" executed by $(eventdata.parentImage) - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1049</id>
<id>T1584.005</id>
</mitre>
</rule>
</group>
- Restart Wazuh manager for changes to apply:
systemctl restart wazuh-manager
Upon infection of an endpoint by Sysjoker, alerts will be generated by the rules we added to the Wazuh manager. Below are examples of such alerts:
Windows endpoint detection
On the Windows endpoint
We simulated Sysjoker infection on a Windows 10 endpoint.
Install Sysmon
This will produce a high level monitoring of events such as process creations, network connections, and changes to the file system and registry. Sysmon is downloaded from the Microsoft Sysinternals page, installed, and configured using the sysmon configuration file here.
Configure log collection
- Edit the
/var/ossec/etc/ossec.conffile to specify the location to collect Sysmon logs:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
- Restart the Wazuh agent for changes to apply using Powershell:
Restart-Service -Name wazuh
On the Wazuh manager
Rules
- We create rules to detect Sysjoker behavior on Windows endpoints. We also add these rules to the
/var/ossec/etc/rules/local_rules.xmlfile:
<group name="sysjoker-windows,">
<rule id="200301" level="12">
<field name="win.eventdata.commandLine" type="pcre2">(?i)copy+.+\\\\ProgramData\\\\SystemData\\\\</field>
<description>File renamed and copied to suspicious path: "$(win.eventdata.parentImage)" - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_1,</group>
</rule>
<rule id="200302" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<description>Malicious file created: "$(win.eventdata.targetFilename)" - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_11,</group>
</rule>
<rule id="200303" level="12">
<field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<description>Malicious file created: "$(win.eventdata.targetFilename)" - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_11,</group>
</rule>
<rule id="200304" level="7">
<field name="win.eventdata.originalFileName" type="pcre2">(?i)^IGFXCUISERVICE.EXE$</field>
<field name="win.eventdata.description" type="pcre2">^igfxCUIService Module$</field>
<description>Suspicious process was created by $(win.eventdata.commandLine). Sysjoker malware uses this description: "$(win.eventdata.description)" to masquerade a backdoor on an infected endpoint. Possible Sysjoker malware infection.</description>
<mitre>
<id>T1036</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_1,</group>
</rule>
<rule id="200305" level="7">
<if_sid>200303</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<description>Suspicious process was created by $(win.eventdata.image). Sysjoker malware uses this description: "$(win.eventdata.description)" to masquerade a backdoor on an infected endpoint. Possible Sysjoker malware infection.</description>
<mitre>
<id>T1036</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_1,</group>
</rule>
<rule id="200306" level="7">
<if_sid>61603</if_sid>
<field name="win.eventdata.description" type="pcre2">^igfxCUIService Module$</field>
<field name="win.eventdata.originalFileName" type="pcre2">^IGFXCUISERVICE.EXE$</field>
<description>Suspicious process was created by $(win.eventdata.commandLine). Sysjoker malware uses this description: "$(win.eventdata.description)" to masquerade a backdoor on an infected endpoint. Possible Sysjoker malware infection.</description>
<mitre>
<id>T1036</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_1,</group>
</rule>
<rule id="200307" level="7">
<if_sid>61605</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<description>Suspicious network connection made by $(win.eventdata.image) - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_3,</group>
</rule>
<rule id="200308" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">(?i)REG ADD HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /V igfxCUIService</field>
<description>Suspicious Windows registry entry: "$(win.eventdata.commandLine)" by $(win.eventdata.ParentImage) - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1547.001</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_1,</group>
</rule>
<rule id="200309" level="12">
<if_sid>61614</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<description>Suspicious Windows registry entry by $(win.eventdata.image) - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1547.001</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_12,</group>
</rule>
<rule id="200310" level="12">
<if_sid>92302</if_sid>
<field name="win.eventdata.details" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<description>Registry entry to be executed on next logon was modified: $(win.eventdata.targetObject) - Possible Sysjoker malware infection.</description>
<mitre>
<id>1547.001</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_13,</group>
</rule>
<rule id="200311" level="12">
<if_sid>61600</if_sid>
<field name="win.system.eventID" type="pcre2">^22$</field>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<description>DNS query to possible C2 server. DNSquery results: "$(win.eventdata.queryResults)" by $(win.eventdata.image) - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1071.004</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_22,</group>
</rule>
<rule id="200312" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.ParentImage" type="pcre2">(?i)\\\\ProgramData\\\\SystemData\\\\</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)getmac|get SerialNumber|get ipaddress|OS get Caption, CSDVersion, OSArchitecture</field>
<description>Living off the Land (LOtL) commands: "$(win.eventdata.CommandLine)" executed by $(win.eventdata.ParentImage) - Possible Sysjoker malware infection.</description>
<mitre>
<id>T1049</id>
<id>T1584.005</id>
</mitre>
<group>sysmon_event_1,</group>
</rule>
</group>
- Restart Wazuh manager for changes to apply:
systemctl restart wazuh-manager
Upon infection of an endpoint by Sysjoker, alerts will be generated by the rules we added to the Wazuh manager. Below are examples of such alerts:
Conclusion
We recommend practicing good cybersecurity etiquette to prevent Sysjoker infection. Being cautious of emails containing suspicious contents or links, suspicious updates, and malvertising are good preventive measures. As mentioned earlier, Sysjoker is relatively new and versatile and can be used as an initial foothold to carry out other attacks. In case of infection, this blog post details how Wazuh can be used to detect Sysjoker. Wazuh can also be used with other integrations like Virustotal and YARA to detect malware like Sysjoker. Also, see this blog on how CBD list and active response can be used to respond to malicious files.
References