SYK Crypter Detection: NET. Malware Spreading a Batch of RATs via Discord

As Discord is gaining extreme popularity among online user communities, with 150 million people using it as of 2021, hackers turn their sights to this chat, VoIP, and digital distribution platform. The possible attack surface is vast and promising, allowing threat actors to abuse Discord for malware distribution and other nefarious actions. 

Recently, security researchers have revealed yet another malware exploiting the trending Discord attack kill chain. Particularly, hackers abuse the Discord CND (Content Distribution Network) to drop a plea of remote access Trojans with the help of a novel SYK crypter.

Detect SYK Crypter

Detect the malicious activity associated with highly-evasive SYK crypter malware by leveraging a dedicated Sigma rule provided by our prolific Threat Bounty author Osman Demir. Access the Sigma rule translated into 23 SIEM, EDR & XDR formats via the link below:

Suspicious Syk Crypter Execution with Powershell (via cmdline)

To reach more curated detection content addressing the emerging threats and get the full context enriched with MITRE ATT&CK references, CTI links, and other valuable metadata, you are most welcome to explore the Threat Detection Marketplace repository powered by SOC Prime’s Detection as Code platform. 

Are you an established professional in threat hunting and detection engineering? Monetize your advanced cybersecurity skills by joining our Threat Bounty Program. Submit your Sigma, Yara, or Snort rules, get them published to our platform, and receive repeated payouts while contributing to collaborative cyber defense. 

View Detections Join Threat Bounty

SYK Crypter Attack Chain

According to the research by Morphisec, SYK Crypter operators haven’t missed a chance to leverage a popular Discord attack chain for malware distribution. In May 2022, security experts reported multiple SYK Crypter infections conducted with the help of Discord CND. 

Particularly, the attack starts with a phishing email holding a malicious file attached. The file is masquerading as a legitimate purchase order, but if opened, it triggers the infection chain. At the first stage, DNetLoader lands onto the victim’s machine to connect to a hardcoded Discord CND endpoint and download the encrypted files. Further, the SYK crypter comes into action, decrypting the final payload stored as a PE resource. Further inquiry reveals that SYK spreads multiple remote access Trojans and stealers, including WarzoneRAT, AsyncRAT, Quasar RAT, NanoCore RAT, RedLine Stealer, and more. 

SYK Crypter Analysis

According to Morphisec experts, SYK crypter is an innovative threat leveraging a broad range of evasive techniques to outsmart cyber defenders and bypass signature and behavior-based security controls. Specifically, SYK is able to detect and overcome the AV solutions, check for debugging environments, gain persistence through startup folder, and execute the payload using the process hollowing technique. 

Neverending efforts to tune up the defenses against the latest threats seem challenging. With SOC Prime’s Detection as Code platform powered by the collaborative cyber defense, you can significantly boost your threat detection capabilities and threat hunting velocity, outspeeding and outsmarting the adversaries.