Windows, macOS, and Linux OSs Targeted by SysJoker Backdoor
Here’s Everything to Know about the New Malware.
Last updated on January 12, 2022
Cybersecurity researchers have issued a warning about SysJoker, a brand-new multiplatform malware that targets Windows, Mac, and Linux. According to them, the backdoor is able to remain undetected on all three operating systems.
The new backdoor was initially discovered in December 2021 by experts at security software company Intezer during an active attack on a Linux-based web server of a leading educational institution.
The researchers believe that the SysJoker attack began during the second half of 2021, based on command and control (C2) domain registration and the samples discovered in VirusTotal.
More on SysJoker Malware
The newly discovered backdoor is written in C++ programming language, and while each version is customized for the targeted operating system, they all go unnoticed on VirusTotal, an online malware scanning tool that uses 57 different antivirus detection engines.
SysJoker Backdoor M.O.
As explained by BleepingComputer, the Windows version, unlike the Mac and Linux samples, includes a first-stage dropper. The dropper is a DLL that uses PowerShell commands to download the SysJoker ZIP from a GitHub repository, unzip it on “C:ProgramDataRecoverySystem,” and run the payload.
As per the report, when the backdoor is executed, it sleeps for 90 to 120 seconds. Then it will start creating the C:ProgramDataSystemData directory and copy itself there, posing as igfxCUIService.exe (Intel Graphics Common User Interface Service).
After the collection of system and network data, the virus will establish persistence by creating a new registry key (HKEY CURRENT USERSoftwareMicrosoftWindowsCurrentVersionRun). Random sleep periods are interlaced between all functions leading up to this point.
Following this, the backdoor reaches out to the C2 server controlled by the attacker via a hardcoded Google Drive link.
The link hosts a “domain.txt” file, which the hackers keep up to date in order to provide available servers to live beacons. This list is regularly updated to bypass detection and blocking.
The data gathered during the initial stages of the infection is sent to the C2 as the first handshake. The C2 responds with a unique token that serves as the compromised endpoint’s identifier.
The C2 may then instruct the malware to deliver more malware, execute commands on the affected machine, or delete the backdoor from the device. Those last two commands, however, have yet to be applied.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.