Detecting Sysjoker backdoor malware with Wazuh

| by Francis Timilehin Jeremiah
Post icon

Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and infected software. Sysjoker backdoor malware poses a big threat because it can be chained with sophisticated attacks. These attacks can be ransomware, installing crypto miners or spyware, adding infected machines to a botnet, and data exfiltration. Unfortunately, because Sysjoker is relatively new, it can still bypass security measures. At the time of writing, the Linux and macOS variants are completely undetected by vendors on Virustotal. Fig 1: Linux sample of sysjoker still undetected on Virustotal.

Behavioral analysis

Once Sysjoker infects a machine, it will start to perform the following actions below:

  • Create folders and files.
  • Establish persistence.
  • Perform system discovery actions.
  • Lie dormant while waiting for C2 instructions.

On all platforms, after Sysjoker has been executed, it will create certain directories and masquerade itself as a system update. On Windows, it masquerades as a well-known Intel Common User Interface process, igfxCUIService.exe.

"company": "Intel Corporation",
"originalFileName": "IGFXCUISERVICE.EXE",
"image": "C:\\ProgramData\\SystemData\\igfxCUIService.exe",
"product": "Intel(R) Common User Interface",
"imageLoaded": "C:\\ProgramData\\SystemData\\igfxCUIService.exe",
"description": "igfxCUIService Module",

Sysjoker will try to establish persistence by various means depending on the operating system:

  • Linux/Unix based endpoints: It runs a cron job and executes the nohup command.
@reboot (/.Library/SystemServices/updateSystem) 
nohup ‘/.Library/SystemServices/updateSystem’
  • Windows based endpoints: It adds itself to the Windows run registry.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name: igfxCUIService Type: REG_SZ Data: “C:\ProgramData\SystemData\igfxCUIService.exe”
  • macOS based endpoints: It creates a file in the LaunchAgents folder.
/Library/LaunchAgents/com.apple.update.plist.

Sysjoker will then execute Living off the Land (LOtL) commands to gather network and system information about the infected machine. It uses temporary text files on Windows endpoints to log the results of the Living off the Land (LOtL) and C2 commands. After all these actions, the infected endpoint is then ready to receive commands from the C2 server.

Indicators of Compromise

Malicious files

These are some malicious files found in the wild that have been indexed by malware databases (e.g. vx-underground). The file hashes(SHA2-256) are used to name the files.

Linux

bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed
d028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3

Windows

1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc
649a97980ed3eeed9a9b61eafd1d60c8d2d15c3be1d6acd3723af87fbda2e8fd

macOS

1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac
fe99db3268e058e1204aff679e0726dc77fd45d06757a5fda9eafc6a28cfb8df
d0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0
e83f6fdf04928cf1be0cec6c4c5a583561a06b5c18b559dc2298ae174709bf68

C2 domains

These are the domains that the malware sends DNS requests and receives C2 commands from:

https[://]bookitlab[.]tech
https[://]winaudio-tools[.]com
https[://]graphic-updater[.]com
https[://]github[.]url-mini[.]com
https[://]office360-update[.]com
https[://]drive[.]google[.]com/uc?export=download&id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn
https[://]drive[.]google[.]com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu

Files and directories created upon infection

These are the files and directories that are created by Sysjoker after infecting an endpoint.

Linux

/.Library/
/.Library/SystemServices/updateSystem
/.Library/SystemNetwork
/.Library/log.txt

Windows

/.Library/
/.Library/SystemServices/updateSystem
/.Library/SystemNetwork
/.Library/log.txt

macOS

/Library/MacOsServices
/Library/MacOsServices/updateMacOs
/Library/SystemNetwork
/Library/LaunchAgents/com.apple.update.plist

Detection with Wazuh

Wazuh provides detection rules that will generate alerts when Sysjoker malware is detected on an endpoint.

Requirements

  • An installed Wazuh manager.
  • An installed and enrolled Wazuh agent on the endpoints to be monitored.

Linux/Unix endpoint detection

For Sysjoker detection on Linux/Unix Endpoints, any of the following methods can be used:

Security Configuration Assessment

Wazuh SCA can be used to perform scans that test system hardening and configuration policies. We used an SCA policy to scan for the directory that is usually created after Sysjoker is executed. On Linux/Unix systems, Sysjoker creates a .Library folder similar to a legitimate folder in macOS.

On the Wazuh manager

  • First, we create a new policy file at /var/ossec/etc/shared/default/sysjoker_check.yml:
policy:
  id: "sysjoker_check"
  file: "sysjoker_check.yml"
  name: "Sysjoker backdoor malware check"
  description: "Checking Sysjoker malware infection for Unix/Linux based systems."

requirements:
  title: "Checking Sysjoker on Unix/Linux based systems."
  description: "Check that system is Unix/Linux based."
  condition: any
  rules:
    - 'f:/etc/passwd'

checks:
  - id: 10000
    title: "Check for Sysjoker malware artifacts in root and \"/home/*/\" directory"
    description: "Check for sysjoker artifacts on Unix/Linux based systems."
    condition: none
    rules:
     - 'c:find / -type d -name ".Library" -> r:/\.Library$'
  • This SCA policy will get shared with a group of agents, which are the ones that will run the checks. In our case, we are sharing the policy with the default group, hence the default directory.

Please be aware that, depending on the monitored system, the find command can be CPU intensive.

  • Once the SCA policy file is created, the owner and group are modified so it can be used by Wazuh:
chown ossec:ossec /var/ossec/etc/shared/default/sysjoker_check.yml

From Wazuh version 4.3 and above, owner and group will be wazuh:wazuh

  • Next, we add the SCA block to /var/ossec/etc/shared/default/agent.conf to enable the new policy on the Wazuh agents that belong to the default group:
<agent_config>
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>24h</interval>
    <skip_nfs>yes</skip_nfs>    
    <policies> 
      <policy>/var/ossec/etc/shared/sysjoker_check.yml</policy>  
    </policies>
  </sca>
</agent_config>

On the Linux/Unix endpoint

Below we edited a setting on the Wazuh agent /var/ossec/etc/local_internal_options.conf file. This is done directly on the endpoints that are being monitored, as there is no way to push this setting from the Wazuh manager. The purpose of this modification is to enable the execution of commands in the SCA policies that are received from the Wazuh manager. This is not necessary when those SCA policies are local to the agent:

echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf

Restart the Wazuh agent to apply the changes:

systemctl restart wazuh-agent

We can see SCA results for an endpoint infected with Sysjoker: Fig 2: SCA scan after Sysjoker infection on a Linux endpoint

Auditd

Auditd is a framework that can be used to audit events native to Linux/Unix systems. Auditd can be used to monitor the directories and files that Sysjoker will create. We also used Auditd to detect the malicious cronjob that was executed by Sysjoker.

On the Linux/Unix endpoint

  • Install Auditd if it is not already installed on the endpoint:
sudo apt -y install auditd
  • We create Auditd rules to detect if Sysjoker creates a .Library folder similar to a legitimate folder in macOS and a cronjob. We add the rules to /etc/audit/rules.d/audit.rules. Replace <USER> with the user directories to be monitored:
echo "-w /.Library -p wa -k possible_sysjoker_backdoor" >> /etc/audit/rules.d/audit.rules
echo "-w /home/<USER>/.Library -p wa -k possible_sysjoker_backdoor" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -F key=cronjob_executed" >> /etc/audit/rules.d/audit.rules
  • We reload the rules to apply the changes:
auditctl -R /etc/audit/rules.d/audit.rulesauditctl -l

By default, the Wazuh agent collects Auditd logs from this location /var/log/audit/audit.log.

On the Wazuh manager

  • We create the rule in /var/ossec/etc/rules/local_rules.xml to detect Sysjoker behavior on Linux/Unix endpoints:
<group name="sysjoker-linux-auditd,">
  <rule id="200600" level="12">
    <if_sid>80700</if_sid>
    <field name="audit.file.name" type="pcre2">(?i)\/.Library$</field>
    <description>Suspicious directory created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
  </rule>

  <rule id="200601" level="12">
    <if_sid>80700</if_sid>
    <field name="audit.file.name" type="pcre2">(?i)\/.Library/SystemNetwork$</field>
    <description>Suspicious directory created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
  </rule>

  <rule id="200602" level="12">
    <if_sid>80700</if_sid>
    <field name="audit.file.name" type="pcre2">(?i)\/.Library/SystemServices$</field>
    <description>Suspicious directory created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
  </rule>

  <rule id="200603" level="1">
    <if_sid>80700</if_sid>
    <field name="audit.file.name" type="pcre2">(?i)\/.Library/log.txt</field>
    <description>Suspicious log file created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
  </rule>

  <rule id="200604" level="12" frequency="6" timeframe="60">
    <if_matched_sid>200603</if_matched_sid>
    <field name="audit.file.name" type="pcre2">(?i)\/.Library/log.txt</field>
    <description>Suspicious log file created: $(audit.file.name) - Possible Sysjoker malware infection.</description>
  </rule>

  <rule id="200605" level="12">
    <if_sid>80700</if_sid>
    <if_matched_sid>200600</if_matched_sid>
    <field name="audit.file.name" type="pcre2">(?i)\/bin/crontab</field>
    <description>Malicious cronjob executed - Possible Sysjoker malware infection.</description>
  </rule>

</group>
  • Restart Wazuh manager for changes to apply:
systemctl restart wazuh-manager

Upon infection of an endpoint by Sysjoker, alerts will be created by the rules we added to the Wazuh manager. Below are examples of such alerts: Fig 3: Alerts generated upon Sysjoker infection on a Linux endpoint(Auditd).

SysmonForLinux

On the Linux/Unix endpoint

We install SysmonForLinux to enrich the event logs generated on the Linux endpoints. This will produce enhanced monitoring of events such as process creations, network connections, and changes to the file system.

  • Install SysmonForLinux
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install sysmonforlinux
  • After installation is complete, download the SysmonForLinux configuration file.
  • Use the SysmonForLinux configuration file:
sysmon -accepteulasysmon -i sysmonforlinux-config.xml
  • Enable sysmon to run at startup:
systemctl enable sysmon

On the Wazuh manager

Decoders

  • After configuring SysmonForLinux, we download a list of decoders from here and copy the content to the /var/ossec/etc/decoders/local_decoder.xml file.

Rules

  • We then download these base rules detecting generic sysmon events and add them to the /var/ossec/etc/rules/local_rules.xml file. Since these are base rules, the rule levels are set to 1, to generate alerts that will not be shown on the dashboard.
  • We create rules to detect Sysjoker behavior on Linux endpoints. We also add these rules to the /var/ossec/etc/rules/local_rules.xml file:
<group name="sysjoker-linux-sysmon,">

  <rule id="200250" level="12">
    <if_sid>200151</if_sid>
    <field name="eventdata.commandLine" type="pcre2">^grep -e @reboot \(/.*/.Library/.*\)|^grep -e @reboot \(/.Library/.*\)$</field>
    <description>Malicious cronjob: "$(eventdata.commandLine)" created - Possible Sysjoker malware infection.</description>
    <mitre>
      <id>T1053.003</id>
      <id>T1584.005</id>
    </mitre>
  </rule>

   <rule id="200251" level="12">
    <if_sid>200151</if_sid>
    <field name="eventdata.commandLine" type="pcre2">^(sh -c cp -rf './.* '/.*/.Library/.*|cp -rf ./.*/.Library/.*|sh -c cp -rf './.* '/.Library/.*|cp -rf ./.Library/.*)</field>
    <description>Malicious file copied and renamed - Possible Sysjoker malware infection.</description>
    <mitre>
      <id>T1036.004</id>
      <id>T1584.005</id>
    </mitre>
  </rule>

  <rule id="200252" level="12">
    <if_sid>200151</if_sid>
    <field name="eventdata.commandLine" type="pcre2">nohup /.*/.Library/.*|nohup /.Library/.*</field>
    <description>Malicious Nohup(no hang up) command executed: $(eventdata.commandLine) - Possible Sysjoker malware infection.</description>
    <mitre>
      <id>T1584.005</id>
    </mitre>
  </rule>

  <rule id="200253" level="12">
    <if_sid>200152</if_sid>
    <field name="eventdata.image" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
    <description>Network connection by malicious file: "$(eventdata.image)" - Possible Sysjoker malware infection.</description>
    <mitre>
      <id>T1043</id>
      <id>T1584.005</id>
    </mitre>
    <group>sysmon_event3</group>
  </rule>

  <rule id="200254" level="12">
    <if_sid>200155</if_sid>
    <field name="eventdata.targetFilename" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
    <description>Malicious file: "$(eventdata.targetFilename)" created - Possible Sysjoker malware infection.</description>
    <mitre>
      <id>T1584.005</id>
      <id>T1036.004</id>
    </mitre>
    <group>sysmon_event11</group>
  </rule>

  <rule id="200255" level="12">
    <if_sid>200151</if_sid>
    <field name="eventdata.commandLine" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
    <description>Malicious file: "$(eventdata.commandLine)" executed - Possible Sysjoker malware infection.</description>
    <mitre>
      <id>T1036.004</id>
      <id>T1584.005</id>
    </mitre>
    <group>sysmon_event11</group>
  </rule>

  <rule id="200256" level="12">
    <if_sid>200151</if_sid>
    <field name="eventdata.commandLine" type="pcre2">sh -c whoami|sh -c id -u</field>
    <field name="eventdata.parentImage" type="pcre2">^(/.*/.Library/.*|/.Library/.*)$</field>
    <description>Living off the Land (LOtL) commands: "$(eventdata.commandLine)" executed by $(eventdata.parentImage) - Possible Sysjoker malware infection.</description>
    <mitre>
      <id>T1049</id>
      <id>T1584.005</id>
    </mitre>
  </rule>
</group>
  • Restart Wazuh manager for changes to apply:
systemctl restart wazuh-manager
Fig 4: Alerts generated upon Sysjoker infection on a Linux endpoint(SysmonForLinux).

Upon infection of an endpoint by Sysjoker, alerts will be generated by the rules we added to the Wazuh manager. Below are examples of such alerts:

 Fig 4: Alerts generated upon Sysjoker infection on a Linux endpoint(SysmonForLinux).

Windows endpoint detection

On the Windows endpoint

Install Sysmon

This will produce a high level monitoring of events such as process creations, network connections, and changes to the file system and registry. Sysmon is downloaded from the Microsoft Sysinternals page, installed, and configured using the sysmon configuration file here.

Configure log collection

  • Edit the /var/ossec/etc/ossec.conf file to specify the location to collect Sysmon logs:
<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>
  • Restart the Wazuh agent for changes to apply using Powershell:
Restart-Service -Name wazuh

On the Wazuh manager

Rules

  • We create rules to detect Sysjoker behavior on Windows endpoints. We also add these rules to the /var/ossec/etc/rules/local_rules.xml file:

local_rules.xml

  • Restart Wazuh manager for changes to apply:
systemctl restart wazuh-manager
Fig 6

Upon infection of an endpoint by Sysjoker, alerts will be generated by the rules we added to the Wazuh manager. Below are examples of such alerts:

 Fig 5: Alerts generated upon Sysjoker infection on a Windows endpoint.

Conclusion

We recommend practicing good cybersecurity etiquette to prevent Sysjoker infection. Being cautious of emails containing suspicious contents or links, suspicious updates, and malvertising are good preventive measures. As mentioned earlier, Sysjoker is relatively new and versatile and can be used as an initial foothold to carry out other attacks. In case of infection, this blog post details how Wazuh can be used to detect Sysjoker. Wazuh can also be used with other integrations like Virustotal and Yara to detect malware like Sysjoker. Also, see this blog on how CBD list and active response can be used to respond to malicious files.