A new multi-platform backdoor malware known as 'SysJoker' has been discovered in the wild, targeting Windows, Linux, and macOS and capable of evading detection on all three platforms. SysJoker was identified during an active attack on a renowned educational institution's Linux-based web server.
Researchers discovered that SysJoker also has Mach-O and Windows PE versions after further examination. They believe that the SysJoker attack began in the second half of 2021, based on C2 domain registration and samples detected in VirusTotal.
SysJoker disguises itself as a system update and creates its C2 by decoding a string from a text file housed on Google Drive. The C2 changed three times during Intezer's analysis, showing that the attacker was active and monitoring for affected machines.
Intezer believes SysJoker is targeting certain targets based on victimology and malware behavior. SysJoker was submitted to VirusTotal with the TypeScript file extension .ts. An infected npm package could be used as an attack vector for this malware.
The malware is written in C++, and while each variant is customized for the targeted operating system, they all go undetected by VirusTotal, a malware scanning website that employs 57 different antivirus detection engines. On Windows, SysJoker deploys a first-stage dropper in the form of a DLL that uses PowerShell commands to perform tasks such as fetching the SysJoker ZIP from a GitHub repository, unzipping it on “C:\ProgramData\RecoverySystem\” and executing the payload.
After then, the virus waits for up to two minutes before establishing a new directory and cloning itself as an Intel Graphics Common User Interface Service ("igfxCUIService.exe"). “Next, SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands,” explains Intezer’s report. "These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named “microsoft_Windows.dll”.”
The report includes detailed indicators of compromise (IOCs) that administrators can use to detect the presence of SysJoker on an infected device.
On Windows, the malware files are located under the "C:\ProgramData\RecoverySystem" folder, at C:\ProgramData\SystemData\igfxCUIService.exe, and C:\ProgramData\SystemData\microsoft_Windows.dll. On Linux, the files and directories are created under “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem). On macOS, the files are created on "/Library/” and persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist.
