SysJoker, a new multi-platform backdoor malware that targets Windows, Linux, and macOS and can elude detection on all three operating systems, has been discovered in the wild.
The new virus was discovered by Intezer researchers who first noticed evidence of its activity in December 2021 while researching an attack on a Linux-based web server.
The malware sample was originally uploaded to VirusTotal in H2 2021, which corresponds to the C2 domain registration dates.
The security researchers have now produced a thorough technical study on SysJoker, which they shared with Bleeping Computer before it was published.
The malware is written in C++, and while each variant is tailored to the target operating system. All of them are undetectable by VirusTotal, an online malware scanning site that uses 57 different antivirus detection engines.
SysJoker uses a DLL as a first-stage dropper on Windows, which uses PowerShell instructions to do the following:
Download the SysJoker ZIP from GitHub, unzip it on “C: ProgramDataRecoverySystem,” and run the payload.
The malware then waits for up to two minutes before copying itself as an Intel Graphics Common User Interface Service (“igfxCUIService.exe”).
“Next, SysJoker will use living off the Land (LOtL) instructions to acquire information about the machine.”To log the results of the commands, SysJoker employs various temporary text files,” according to Intezer’s study.
“These text files are instantly destroyed, then placed in a JSON object, which is subsequently encoded and written to a file called “Microsoft Windows.dll.”
The malware will develop persistence by inserting a new registry entry (HKEY CURRENT USERSoftwareMicrosoftWindowsCurrentVersionRun) after gathering system and network data. All functions leading up to this point are interspersed with random sleep intervals.
The malware’s next step is to connect to the actor-controlled C2 server, which it does via a hardcoded Google Drive URL.
The URL points to a “domain.txt” file that the actors change on a regular basis to keep live beacons connected to available servers. To avoid detection and blocking, this list is updated on a regular basis.
As the first handshake, the system information gathered in the early stages of the infection is conveyed to the C2. The C2 responds with a one-of-a-kind token that serves as the infected endpoint’s identify.
The C2 may then direct the backdoor to install further malware, conduct commands on the infected device, or delete the backdoor from the device. Those last two directives, however, have yet to be implemented.
Despite the lack of a first-stage dropper in the form of a DLL in the Linux and macOS variants, they ultimately conduct the same harmful behaviour on the infected device.
Intezer’s report includes detailed indicators of compromise (IOCs) that administrators can use to determine whether a device is infected with SysJoker.
Some of the IOCs for each operating system are listed here.
On Windows, the malware files can be found at C:Program DataSystemDataigfxCUIService.exe and C:ProgramDataSystemDatamicrosoft Windows.dll in the “C:ProgramDataRecoverySystem” folder. The malware creates an Autorun “Run” value of “igfxCUIService” for persistence, which starts the igfxCUIService.exe malware executable.
The files and directories are generated under “/.Library/” on Linux, and persistence is achieved by setting up the cron job: (/.Library/SystemServices/updateSystem) @reboot.
The files are created in “/Library/” on macOS, and persistence is accomplished by LaunchAgent at /Library/LaunchAgents/com.apple.update.plist.
The following are the C2 domains mentioned in the Intezer report:
If any user believe they have been hacked by SysJoker, take the following three steps: