A new multi-platform malware has been detected in the wild recently by the security experts at Intezer that is stealing users’ sensitive data from all the major platforms like:-
This malware has been named ‘SysJoker,’ and this malware comes with several stealthy features; among them comes the capability to circumvent detection on all three major operating systems that we have mentioned above.
In H2 2021, the first sample of the malware was uploaded and occurred with the C2 domain enrollment times. And in December 2021, the first signs of its activity on a Linux-based web server were identified by the experts.
SysJoker – A Stealthy Malware
SysJoker is developed using C++, whose every available variant is specifically designed for all the major operating systems.
But, how stealthy are they? The SysJoker malware is developed very carefully with all the stealthy features and abilities which allow it to evade the popular virus scanning site that utilizes the 57 distinct AV engines, VirusTotal.
Using the PowerShell commands, the SysJoker malware engages the first-stage dropper on Windows in the form of a DLL file, and once done, then performs the following actions:-
- Fetch the SysJoker ZIP from a GitHub repository,
- unzip it on “C:\ProgramData\RecoverySystem\”,
- execute the payload.
The malware then sleeps for up to two minutes before creating a new directory and copies itself as an Intel Graphics Common User Interface Service (“igfxCUIService.exe”).
Now, next, using the Living off the Land (LOtL) commands, the malware starts collecting the information about the system, and then it logs the results of the commands in different temporary text files.
When the logged data get stored in a JSON object which is named “microsoft_Windows.dll,” it immediately deletes all the temporary text files with the logged results.
By adding a new registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run), SysJoker creates persistence in the compromised system, and then it starts gathering the system and network data.
And to make everything authentic, it also automatically programs the compromised systems with random sleep times. While apart from this, the hackers use Google Drive’s complex link to proceed further and reach the C2 server managed by the attackers.
In the first stage infection chain, the system information gets collected, and here it’s sent to the C2, which replies back with a unique token that is served as an identifier of the infected endpoint.
However, in the case of macOS and Linux, it doesn’t perform any first-stage infection chain by dropping any dropper. As here, on the infected device, it directly starts performing the same malicious activities without any stage limitations.
Here is the list of C2 domains used by the threat actors:-
If you want to check whether your system is infected or not, you can check by following things that we have mentioned below for all three OS:-
Windows: On Windows OS, you have to check C:\ProgramData\RecoverySystem” folder, at C:\ProgramData\SystemData\igfxCUIService.exe, and C:\ProgramData\SystemData\microsoft_Windows.dll.
macOS: On macOS, you have to check “/Library/” and persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist.
Linux: On Linux, you have to check “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem).
After analyzing, if you found that your system is compromised, then you have to follow the things that we have mentioned below:-
- All the processes related to the malware have to be killed.
- You have to delete all the files and the relevant persistence mechanisms manually.
- To ensure that all malicious files have been uprooted, you have to run a memory scanner.
- Examine all the potential entry points.
- Properly check firewall configurations.
- Keep all the existing tools and software updated.