SysJoker Malware Can Damage Your Windows, Mac PC: Warning Signs, How to Remove If You're Attacked

SysJoker Malware Can Damage Your Windows, Mac PC: Warning Signs, How to Remove If You're Attacked
SysJoker Malware has been detected to emerge from the web. The SysJoker Malware affects multiple operating systems including MacOS, Linux, and Windows.

Photo : Nicolas Asfouri/ Getty Images

A new malware named SysJoker has emerged on the web.

'SysJoker' is a multi-platform threat infecting devices from Linux, Windows, and macOS, and it dangerously has the capability of not being detectable once a user's operating system is already infected.

On December 2021, after investigating an attack on a Linux-based web server, the discovery of SysJoker came from the researchers of Intezer who were the first to discover the strange nature of the malware.

The malware sample was originally uploaded to VirusTotal in H2 2021, which corresponds to the C2 domain registration dates.

An extremely thorough and detailed technical study on SysJoker has been shared by the cybersecurity researchers since then. 

Detecting A Hidden Malware

Through decoding a string retrieved from a text file hosted on Google Drive, SysJoker malware masks its self as a system update and generates its C2.

As reported by Intezer, indicators of the attackers monitoring the infected systems and being active were discovered from an analysis in which the C2 changed over three times.

Furthermore, based on the attack and the behavior of what the malware is capable of doing, it assessed that SysJoker is targeting specific victims.

The suffix.ts, which is used for TypeScript files, was utilized to upload SysJoker to VirusTotal.

An infected npm package is one possible attack vector for this malware.

Threats of SysJoker

In general, a plethora of variations of SysJoker is made to run on either Linux, Windows, or macOS.

With that, it is able to create a series of files and registry commands that allow it to install further malware, conduct commands on the infected device, or tell the backdoor to shut down.

How To Geek mentioned that this malware poses a serious threat as it can manage to make itself undetectable by antivirus software.

For now, in order to check if suspected victims don't have the malware, they need to manually check if there are created files within their systems.

Read Also: Afraid Data Brokers Are Selling Your Personal Information? This 1 Tool Prevents It From Happening

What To Do if SysJoker Malware is Detected?

Unfortunately, even if Sysjoker's victims have been targeted intentionally, if users find out they have been infected they need to follow these SysJoker Malware removal steps.

First, they need to get rid of the malware's persistence mechanism, manually delete all the files affected and kill all the malware-related programs running.

Second, to check that all malicious files have been removed from the compromised system, run a memory scanner.

Third, users need to check if software tools are up to date, double-check firewall settings, and investigate possible access points.

How to Detect SysJoker Malware?

To detect the presence of SysJoker on an infected device, users can go to Interez as they have already provided full indicators of compromise (IOCs).

For users to be able to detect, written below are some IOCs outlined for every operating system that is possibly infected, as reported by Bleeping Computer.

For SysJoker Malware Windows

  • Persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist. & the files are created on "/Library/"

For SysJoker Malware MacOS

  • the malware files can be found at C:ProgramDataSystemDataigfxCUIService.exe and C: ProgramDataSystemDatamicrosoft Windows.dll in the "C: ProgramDataRecoverySystem" folder. The malware creates an Autorun "Run" value of "igfxCUIService" for persistence, which starts the igfxCUIService.exe malware executable.

For SysJooker Linux

  • The files and folders are produced in "/.Library/" on Linux, and persistence is achieved by setting up the following cron job: @reboot (/.Library/SystemServices/updateSystem).

Furthermore, the following are the C2 domains mentioned in the Intezer report:

  1. https[://]drive[.]google[.]com/uc?export=download&id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn

  2. https[://]drive[.]google[.]com/uc?export=download&id=1W64PQQxrwY3XjBnv QaeBQu-ePr537eu

  3. https[://]office360-update[.]com

  4. https[://]graphic-updater[.]com

  5. https[://]github[.]url-mini[.]com

  6. https[://]winaudio-tools[.]com

  7. https[://]bookitlab[.]tech

Related Article: What Is UltraRAM: Have Scientists Created Unlimited Memory Storage for PCs, Gaming Consoles?

© 2022 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost