A new malware named SysJoker has emerged on the web.
'SysJoker' is a multi-platform threat infecting devices from Linux, Windows, and macOS, and it dangerously has the capability of not being detectable once a user's operating system is already infected.
On December 2021, after investigating an attack on a Linux-based web server, the discovery of SysJoker came from the researchers of Intezer who were the first to discover the strange nature of the malware.
The malware sample was originally uploaded to VirusTotal in H2 2021, which corresponds to the C2 domain registration dates.
An extremely thorough and detailed technical study on SysJoker has been shared by the cybersecurity researchers since then.
Detecting A Hidden Malware
Through decoding a string retrieved from a text file hosted on Google Drive, SysJoker malware masks its self as a system update and generates its C2.
As reported by Intezer, indicators of the attackers monitoring the infected systems and being active were discovered from an analysis in which the C2 changed over three times.
Furthermore, based on the attack and the behavior of what the malware is capable of doing, it assessed that SysJoker is targeting specific victims.
The suffix.ts, which is used for TypeScript files, was utilized to upload SysJoker to VirusTotal.
An infected npm package is one possible attack vector for this malware.
Threats of SysJoker
In general, a plethora of variations of SysJoker is made to run on either Linux, Windows, or macOS.
With that, it is able to create a series of files and registry commands that allow it to install further malware, conduct commands on the infected device, or tell the backdoor to shut down.
How To Geek mentioned that this malware poses a serious threat as it can manage to make itself undetectable by antivirus software.
For now, in order to check if suspected victims don't have the malware, they need to manually check if there are created files within their systems.
What To Do if SysJoker Malware is Detected?
Unfortunately, even if Sysjoker's victims have been targeted intentionally, if users find out they have been infected they need to follow these SysJoker Malware removal steps.
First, they need to get rid of the malware's persistence mechanism, manually delete all the files affected and kill all the malware-related programs running.
Second, to check that all malicious files have been removed from the compromised system, run a memory scanner.
Third, users need to check if software tools are up to date, double-check firewall settings, and investigate possible access points.
How to Detect SysJoker Malware?
To detect the presence of SysJoker on an infected device, users can go to Interez as they have already provided full indicators of compromise (IOCs).
For users to be able to detect, written below are some IOCs outlined for every operating system that is possibly infected, as reported by Bleeping Computer.
For SysJoker Malware Windows
Persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist. & the files are created on "/Library/"
For SysJoker Malware MacOS
the malware files can be found at C:ProgramDataSystemDataigfxCUIService.exe and C: ProgramDataSystemDatamicrosoft Windows.dll in the "C: ProgramDataRecoverySystem" folder. The malware creates an Autorun "Run" value of "igfxCUIService" for persistence, which starts the igfxCUIService.exe malware executable.
For SysJooker Linux
The files and folders are produced in "/.Library/" on Linux, and persistence is achieved by setting up the following cron job: @reboot (/.Library/SystemServices/updateSystem).
Furthermore, the following are the C2 domains mentioned in the Intezer report: