Sneaky Spies and Backdoor RATs | SysJoker and DazzleSpy Malware Target macOS

As last year closed out, we provided a round up of the previous 12 months of Mac malware, making the observation that, among other things, 2021’s macOS malware cohort saw a focus on spyware and the targeting of users in Asia, particularly China and Hong Kong. The first month of 2022 has seen those trends continue with two new malware campaigns discovered in January, namely SysJoker and DazzleSpy.

In this post, we give brief overviews of these two new malware families, offering both additional details not previously reported along with indicators for detection and threat hunting.

SysJoker (11th Jan, 2022)

The first new Mac malware report of 2022 came courtesy of researchers at Intezer in the form of a threat they dubbed SysJoker, which comes in Windows, Linux and macOS variants. Researchers say that the Linux version was found in-the-wild infecting a server belonging to “a leading educational institution”.

The Mac-specific variant of this malware is a Universal binary named types-config.ts, compiled for both Intel x86 and Apple silicon M1 arm64 architectures.

Upon execution, the Mach-O installs a persistence LaunchAgent that masquerades as an Apple launch service ~/Library/LaunchAgents/com.apple.update.plist.

Persistence mechanism used by SysJoker malware on macOS

The fake service targets an executable called ~/Library/MacOsServices/updateMacOs. This file is also written by the types-config.ts file and is in fact a straight copy of itself. The SentinelOne agent captures the chain of execution and displays it in the Management console for easy pivoting and threat hunting.

OSX.SysJoker backdoor execution chain as captured by the SentinelOne agent

The malware is written in C++ and much of the initial action occurs in the entry.init0 function. Using r2, we can get a quick summary of the function’s important strings.

Some of the embedded strings in the SysJoker binary

The “drive.google.com” address delivers a file “domain.txt” that contains an obfuscated domain name address. The key shown above at address 0x1000139e2 is used to decode the contents of “domain.txt”, which turns out to to be the DNS address “graphic-updater.com”.

Other hardcoded strings are then concatenated with the decoded DNS address to form a full C2.

https://graphic-updater[.]com/api/attach
The C2 address is determined on-the-fly during execution

We note that SysJoker has a peculiarity that, to our knowledge, has not been described by other researchers. In our tests, if the malware is run as root when the path

/Users/root/Library/SystemNetwork

does not exist, the malware will abort.

That’s an unusual path, as the root user on macOS typically exists under /var/root, not /Users/root.

Whether this is an oversight or a peculiarity of SysJoker’s intended target is unclear. At this point, we have no explanation for this behaviour, but merely note that if /Users/root does exist, then the malware executes as expected, and drops the components under that file path hierarchy.

SysJoker uses an unorthodox path for a macOS root user

According to previous researchers who also analyzed the Windows and Linux variants, SysJoker’s primary purpose is to await commands from the C2. We, and our sample, did indeed wait, but the C2 appeared to be uninterested in talking to either of us. Intezer has more details on the backdoor’s functionality.

How To Protect Against OSX.SysJoker

The SentinelOne Singularity platform fully detects OSX.SysJoker.

SentinelOne detects SysJoker on execution

Aside from the one reported in-the-wild incident against a “leading educational institution”, it is unclear at this time how SysJoker is distributed, who it targets, or what the authors’ objectives are. However, the cross-platform nature of the malware suggests that it may be part of a wider campaign, and it is imperative that organizations have a capable multi-engined security solution in place to defend against these kinds of attacks.

DazzleSpy (25th Jan)

OSX.DazzleSpy was discovered by ESET researchers following the same trail as Google’s Project Zero from a poisoned watering hole targeting Hong Kong pro-democracy activists. Whereas Google’s investigation led them to macOS.Macma, researchers Marc L’Etienne and Anton Cherepanov caught a quite different payload.

OSX.DazzleSpy comes in the form of an unsigned, Mach-O file compiled for Intel x86 architecture, although it’s perfectly possible that undiscovered ARM versions exist as well.

On execution, the Mach-O installs a persistence LaunchAgent that masquerades as an Apple launch service at ~/Library/LaunchAgents/com.apple.softwareupdate. This fake service targets an executable called “softwareupdate” written inside a hidden folder of the user’s home folder, ~/.local/softwareupdate.

DazzleSpy LaunchAgent property list for persistence

The executable “softwareupdate” contains a mixture of public and private frameworks. On the public side, the malware authors have adopted the tonymillion Reachability framework to determine network connections, YYModel for efficient parsing of JSON data, and GCDAsyncSocket to handle TCP/IP socket networking tasks. A date comparison method, +(int)compareOneDay:(NSDate *)oneDay withAnotherDay:(NSDate *)anotherDay, also appears to have been lifted from a Chinese-language programming forum.

DazzleSpy contains a mix of public and private frameworks and methods

For functionality, DazzleSpy contains code for searching and writing files, exfiltrating environmental info, dumping the keychain, running a remote desktop and running shell commands, among others.

A number of methods are run as shell commands via NSTask APIs

DazzleSpy collects and drops a number of other files in the hidden ~/.local directory related to espionage and data collection.

Some of the hardcoded paths found in the DazzleSpy executable
~/.local/softwareupdate
~/.local/security/keystealDaemon
~/.local/security.zip
~/.local/SearchFiles
~/.local/RecoveryFiles
~/.local/security

Although we only saw the first of these files dropped in our tests, analysis of the static code suggests that another hidden directory, .Documenty, may also be used by the malware.

A path we didn’t see on execution, but potentially useful for hunting

The authors appear to have been careless (or perhaps deliberate!) in leaving artifacts from the development environment. As noted by ESET, one user name embedded in the malware is “wangping”, but we also note two others: “wp” and “XpathX”.

Usernames found embedded in the DazzleSpy binary

Of these, “XpathX” seems to have a number of paths typical of an active user, but why these should have found their way into the code is both mysterious and suspicious.

Multiple paths for user “XpathX” are embedded in DazzleSpy

There’s no obvious mechanism that would easily result in those being embedded accidentally, and one could be forgiven for thinking that these paths were deliberately placed. We might also wonder about the authenticity of other paths such as /Users/wangping/pangu/.

How To Protect Against OSX.DazzleSpy

OSX.DazzleSpy, like macOS.Macma before it, appears to be aimed at visitors to certain websites holding content about, or of interest to, Hong Kong pro-democracy activists and activism. Although that is a small demographic, the threat actors also exploited a (now-patched) local privilege escalation, CVE-2021-30869, to run the payload as root.

SentinelOne’s behavioral engine detects OSX.DazzleSpy on execution. In order to prevent infections like DazzleSpy, be sure to install a good behavioral AI engine that can recognize novel threats based on what they do. Legacy AV scanners that rely on known signatures or cloud reputation services alone will not be able to stop threats that have not previously been detected in the wild.

SentinelOne detects OSX.DazzleSpy on execution

Admin users can view details including threat indicators in the Management console and pivot directly from there to Deep Visibility for extended threat hunting across the estate if required.

The SentinelOne behavioral AI catches the malware attempting persistence

Conclusion

These two new Mac malware families continue trends we noted previously in macOS malware. DazzleSpy’s use of vulnerabilities is a clear warning to those that continue to insist Mac users cannot get malware if they engage in “safe behavior”: such a stance does not match today’s threatscape.

Meanwhile, SysJoker’s cross-platform backdoor functionality shows that threat actors are factoring in Mac targets along with Windows and Linux as they develop new ways to steal data and compromise organizations. As with all your other endpoints, it is vital to keep your Mac fleet protected by a capable, defense-in-depth security solution such as the SentinelOne platform.

If you would like to learn more about how SentinelOne can protect your Mac, Windows, Linux, ChromeOS, IoT and Cloud workload endpoints, contact us or request a free demo.

Indicators of Compromise

OSX.SysJoker

DNS REQUESTS
drive.google.com.
googlehosted.l.googleusercontent.com.
graphic-updater.com.

DNS RESPONSES
142.250.199.14
216.58.199.225
216.58.203.78
23.254.131.176
36.4.104.0

COMMANDS EXECUTED
/bin/sh
/bin/bash
/usr/bin/whoami

FILEPATHS
/Users/root/Library/SystemNetwork
~/Library/MacOsServices/updateMacOs

HASHES
updateMacOs
554aef8bf44e7fa941e1190e41c8770e90f07254 1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac

types-config.ts
01d06375cf4042f4e36467078530c776a28cec05
d0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0

OSX.DazzleSpy

FILEPATHS
~/Library/LaunchAgents/com.apple.softwareupdate.plist
~/.local/softwareupdate
~/.local/security.zip
~/.local/security/keystealDaemon
.Documenty/security/libkeystealClient.dylib
.Documenty/security/keys.err
.Documenty/security/security-unsigned
.Documenty/security/keystealDaemon

C2
88.218.192[.]128:5633

HASHES
server.enc
ee0678e58868ebd6603cc2e06a134680d2012c1b
f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348

Finding the perfect kids’ pink desk chair

Finding the perfect kids’ pink desk chair is not so easy. That’s why we did some research and came up with the following list of the best pink desk chairs for your little princess.

The following is a list of the top 5 pink desk chairs currently available in the market today. What’s more, they are all available on Amazon so you know you’re getting a great price and the highest level of online security and trust.

So, without further ado, here’s our list of the best pink desk chairs:

SIDIZ Ringo Kid Desk Chair

The SIDIZ Ringo Kid Desk Chair is an excellent choice if you want a pink desk chair. Ringo was built with a growing youngster in mind, aged 6 to 13 (3.5 ft to 5.3 ft tall). It promotes good posture, which is considered critical for a growing child while seated.

This chair has a 4-level height adjustment so that it can grow with your child. The arms are in a comfortable position, which makes typing on a desk much more enjoyable. The backrest may be adjusted to provide greater seat room, allowing your child to customize the chair in a most comfortable way for them.

The detachable footrest is great for providing leg support without taking up too much space. This is perfect for kids who enjoy their sitting experience to last a little longer. 360-degree swivel is another excellent feature of this kids’ pink desk chair.

Ringo Kids’ Desk Chair comes in several colors, but pink is the most popular. Thanks to its versatile design that can adapt to any room, this adorable desk chair will look good no matter where you put it.

The Mesh Back Desk Chair

The Mesh Back Desk Chair from the HouseInBox Store is one of the most interesting pink kids’ desk chairs on our list. You can tell this without even reading any reviews or descriptions.

The backrest is composed of a lightweight, breathable PP material. The middle backrest offers good support. The chair’s upholstery is of exceptional quality. The cushioned seat adds another layer of comfort during those long homework sessions. It swivels 360 degrees, so your child can turn around to get a better view of the room.

The convenient pneumatic lift handle lets you adjust the desk chair to your child’s height. The maximum seat height is 34.2 inches.

CIMOO Cute Bunny Desk Chair for Kids

Staying within the interesting desk chairs section, the CIMOO Cute Bunny Desk Chair is another interesting choice. It sports adorable bunny ears on a backrest, which is pretty unique.

The chair’s back cushions and seat are well padded, allowing your child to enjoy maximum comfort. This chair is covered in a skin-friendly soft fuzzy fabric. No wonder this lovely chair is a great place to sit and read or play!

This chair features a heavy steel foundation that ensures its sturdiness and can support up to 250 pounds. There are no sharp edges, so it’s safe for your child.

The CIMOO Cute Bunny Desk Chair is the most affordable choice on our list, but that doesn’t mean it’s of lower quality. It’s a terrific deal for the price!

VIVO Height Adjustable Kids Desk Chair

This desk chair, designed for kids of different ages (aged 3 to 10), combines usefulness and safety.
VIVO Height Adjustable Desk Chair offers you complete control over how high or low the chair’s height goes. A locking mechanism ensures that it won’t move up or down any further once a height is adjusted. Overall, this kids’ chair provides a good posture during sitting, preventing potential health issues in the future.

This chair is constructed of high-quality PP plastic with a steel frame for maximum support. The base has a non-toxic, scratch-resistant finish that will protect your floor and provide long-lasting performance.

Perfect for kids’ rooms, study areas, or any playroom, this office chair is an excellent choice for a cute and comfortable kids’ pink desk chair.

GreenForest Kids Desk Chair

Equipped with a 360-degree swivel, this kids’ desk chair offers your child great mobility. They can spin around the room to see what is going on or reach for that toy that was just out of their grasp.

The height of this kids’ office chair is adjustable so that it will grow right along with your little one. The pneumatic lift feature makes it easy to adjust the height of this kids’ desk chair.

Constructed of high-quality plastic with a steel frame, this kids’ chair is durable and will provide your child with years of comfortable seating. Even while doing schoolwork, the backrest of this chair ensures that your child is comfy at all times. It’s also ergonomically designed, with a supportive spine and good airflow to keep your child cool.

The only downside of this kids’ desk chair is that it is not padded with any foam. It would be nice to have some comfortable padding in the seating area.

About kids’ pink desk chairs

Kids’ pink desk chairs proved to be one of the most popular topics among people looking for kids’ room furniture.

We also noticed that many people were looking for pink desk chairs for girls. Pink is one of the most popular colors among young girls, and it is often used as a base color to complement other bright colors.

Kids’ pink desk chairs are great for children’s bedrooms because they create a fun and cozy ambiance that is perfect for playing or doing homework.

Kids’ pink desk chairs are a great way to add some color to your child’s room while encouraging them to do their homework.

The great thing about buying a kids’ pink desk chair is that the color pink has been proven to be very calming and perfect for children’s bedrooms. So it’s certainly worth opting for this color when choosing the furniture for your children’s bedroom.

What exactly is a kids’ pink desk chair?

A pink desk chair is simply a kids’ office chair in pink. There are also other colors that you can find for this type of furniture. These include blue, white, green, and many more. Usually, these pieces come with colorful backs to support your child’s imagination as they create their world of fantasies.

Pink desk chairs are usually used as chairs for your kids’ bedroom or playroom because they look great and provide plenty of comfort and support.

There isn’t much difference between a pink desk chair and a standard office chair except that it looks cute and girly. You can still find the same material for desk chairs in pink, including leather, wood, and vinyl.

More importantly, these chairs can still provide the same level of support and comfort as regular office chairs. Choose a durable piece that will last for years to come because kids are very tough on furniture.

A pink desk chair can even be used for your kid’s study table. What’s great about this type of chair is that it comes in many designs, styles, and shapes. It’s not just a standard office chair with a new color. You can find chairs explicitly designed for girls or even princesses, so you have plenty of choices.

The next time your daughter wants something, surprise her with a pink desk chair because she will definitely love it!

Why choose a pink desk chair for kids?

There are many reasons you should choose pink desk chairs for your kids. Here are some of the best benefits to look forward to:

  • The chair is often designed with cute designs and patterns that make it stylish and attractive to kids.
  • Children feel important when they have their own place at home, including a desk chair. This will motivate them to study.
  • Having a comfortable place to sit makes studying easier, which is why having a pink desk chair for your pink-enthusiast will help them concentrate on their lessons more effectively.
  • Kids like colorful things, and they can feel free to express themselves as much as they want when they play at home with the pink desk chair.

How to find the perfect kids’ pink desk chair

Before you run off to the store and buy the first pink desk chair for kids you see, here are the most important things to consider:

  • Kids chairs must be high quality and meet all safety standards. They should also have a sturdy design that can take some abuse from children without damage or tip-overs being an issue.
  • In addition, it’s essential to consider the shape of the chair. Kids’ desk chairs come in two main styles: A rounded back and shell-like seat that supports the spine or an S-shaped seat that has more room for the legs.
  • Depending on your child’s age, you’ll want to purchase a specific type of chair. Children under the age of 5 should have a chair that’s easy to get in and out of, with sturdy armrests that keep them from falling. Meanwhile, those between the ages of 8 and 12 will benefit from a low-back shell-style chair as this design comes closest to replicating adults’ chairs. For kids over the age of 13, a regular desk chair will do. They can also transition to a regular office chair for adults if they enjoy using the desk or simply opt for a standard-style chair with arms instead.
  • It’s important not to buy a kids’ desk chair based solely on looks, though comfort is key! If your child hates sitting in their new pink desk chair because it’s uncomfortable, they’ll have a tough time doing their homework.
  • You want a chair that’s kid-sized with a seat and back made from soft but supportive padding.
  • The seat should also be deep enough to support the entire length of their thighs, without them having to sit too close or too far away from the desk itself.
  • You should also consider your child’s height and weight. While a kids’ desk chair is often not adjustable, some models can be adjusted to suit various ages and sizes of children. Some even have removable seat pads or backrests to make them wider for bigger children or shorter for smaller ones.
  • As your kids will inevitably outgrow these desk chairs, it’s best to choose one easy to assemble and take apart.

In short: Kids’ desk chairs come in various shapes and sizes – but comfort is key. Make sure it fits your child’s height and comfort level, as well as their age and style preferences. Also, consider the shape of their body, the features that will make them easy to assemble or take apart, and whether or not they can be adjusted for larger children.

The post Finding the perfect kids’ pink desk chair appeared first on Comfy Bummy.