A new multi-platform malware has been detected in the wild recently by the security experts at Intezer that is stealing users’ sensitive data from all the major platforms like:-
This malware has been named ‘SysJoker,’ and this malware comes with several stealthy features; among them comes the capability to circumvent detection on all three major operating systems that we have mentioned above.
In H2 2021, the first sample of the malware was uploaded and occurred with the C2 domain enrollment times. And in December 2021, the first signs of its activity on a Linux-based web server were identified by the experts.
SysJoker is developed using C++, whose every available variant is specifically designed for all the major operating systems.
But, how stealthy are they? The SysJoker malware is developed very carefully with all the stealthy features and abilities which allow it to evade the popular virus scanning site that utilizes the 57 distinct AV engines, VirusTotal.
Using the PowerShell commands, the SysJoker malware engages the first-stage dropper on Windows in the form of a DLL file, and once done, then performs the following actions:-
The malware then sleeps for up to two minutes before creating a new directory and copies itself as an Intel Graphics Common User Interface Service (“igfxCUIService.exe”).
Now, next, using the Living off the Land (LOtL) commands, the malware starts collecting the information about the system, and then it logs the results of the commands in different temporary text files.
When the logged data get stored in a JSON object which is named “microsoft_Windows.dll,” it immediately deletes all the temporary text files with the logged results.
By adding a new registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run), SysJoker creates persistence in the compromised system, and then it starts gathering the system and network data.
And to make everything authentic, it also automatically programs the compromised systems with random sleep times. While apart from this, the hackers use Google Drive’s complex link to proceed further and reach the C2 server managed by the attackers.
In the first stage infection chain, the system information gets collected, and here it’s sent to the C2, which replies back with a unique token that is served as an identifier of the infected endpoint.
However, in the case of macOS and Linux, it doesn’t perform any first-stage infection chain by dropping any dropper. As here, on the infected device, it directly starts performing the same malicious activities without any stage limitations.
Here is the list of C2 domains used by the threat actors:-
If you want to check whether your system is infected or not, you can check by following things that we have mentioned below for all three OS:-
Windows: On Windows OS, you have to check C:\ProgramData\RecoverySystem” folder, at C:\ProgramData\SystemData\igfxCUIService.exe, and C:\ProgramData\SystemData\microsoft_Windows.dll.
macOS: On macOS, you have to check “/Library/” and persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist.
Linux: On Linux, you have to check “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem).
After analyzing, if you found that your system is compromised, then you have to follow the things that we have mentioned below:-
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…