Written by
Team Nucleus
Content
Written on
23rd May, 2022
SHARE ARTICLE
In December 2021, a new remote access trojan (RAT) was discovered and investigated by cyber security firm Intezer. SysJoker, is an advanced RAT which has been written to infect Mac OS, Windows, and Linux operating systems, meaning most modern-day networks are at risk. Once infected, SysJoker can install additional malware onto the network, run commands and eventually remove itself from the infected network. These vulnerabilities can lead to a wide range of security problems for businesses as the attacker can use these commands to exfiltrate specific data or cause a denial of service on critical systems. The malware is tailored, meaning it will act differently depending on the OS in use, which indicates this has been written by an experienced hacker. Excellent anti-virus evasion techniques built into the malware allows the RAT to remain undetected on networks until it is called upon through its command and control (C2) infrastructure.
Telesoft can use the TDAC to hunt for known and unknown threats, including SysJoker. Intezer released a list of indicators of compromise (IoC) which assist in this threat hunt. Firstly, the malware uses a Command and Control (C2) infrastructure, Telesoft can use bespoke hunting techniques and custom dashboards on the TDAC to highlight botnet communications. This returns all connections that seem suspicious, such as communicating routinely throughout the day on an IRC port. In addition, it highlights connections that only happen between the same addresses indicating that an infected IP is signalling back to the C2. The TDAC can search through an entire network for an IP associated with the malware by using its advanced built in query engine. Depending on how the TDAC has been configured, this search can look back through at least 3 months of flow data to see if this IP has communicated with the network in any form.
Once a connection has been discovered by Telesoft’s 24/7 Threat Hunting Team, a case will be created, and rigorous investigation will begin. Telesoft can provide both active and passive response methods which can be pre-determined and tailored to the customer. Timing is a huge factor when it comes to breaches and so threat hunting is a critical tool to help minimise damage to the network, systems, and business reputation.
Find out more about how you can better protect your business with our Managed Detection and Response Service
