New SysJocker backdoor targets Windows, macOS and Linux

A new cross-platform backdoor malware named “SysJocker” has emerged in the wild, targeting Windows, Linux, and macOS with the ability to evade detection on all three operating systems.

The discovery of the new malware comes from Intezer researchers who first saw signs of its activity in December 2021 after investigating an attack on a Linux-based web server.

The first downloads of the malware sample to VirusTotal were in the second half of 2021, which is also the C2 domain registration deadline.

Security analysts have now released a detailed technical report on SysLocker, which they shared with Bleeping Computer ahead of its publication.

A Joker who doesn’t like to attract attention

The malware is written in C ++, and while each variant is tailored to the targeted operating system, not all of them are detected on VirusTotal, an online malware analysis site that uses 57 different virus detection engines.

On Windows, SysJocker uses a first stage dropper in the form of a DLL, which uses PowerShell commands to do the following:

  • get the SysJocker ZIP from a GitHub repository,
  • unzip it to “C: ProgramData RecoverySystem “,
  • run the payload.

The malware then goes to sleep for up to two minutes before creating a new directory and copies itself as the Intel Graphics Common User Interface Service (“igfxCUIService.exe”).

Complete execution process for SysJoker on Windows
Complete execution process for SysJoker on Windows
Source: Intézer

“Then SysJoker will collect information about the machine using the Live From Earth (LOtL) commands. SysJoker uses various temporary text files to save the results of the commands,” explains The Intezer report.

“These text files are immediately deleted, stored in a JSON object, then encoded and written to a file named ‘microsoft_Windows.dll’.

After collecting system and network data, the malware will create persistence by adding a new registry key (HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Run). Random sleep times are interposed between all functions leading to this point.

The next step for the malware is to contact the C2 server controlled by the actor, and for that it uses a hard-coded Google Drive link.

Resolve hard-coded Google Drive link
Resolve hard-coded Google Drive link
Source: Intézer

The link hosts a “domain.txt” file that actors regularly update to provide available servers for live beacons. This list is constantly changing to avoid detection and blocking.

System information collected during the early stages of infection is sent as the first handshake to C2. The C2 responds with a unique token that serves as the identifier of the infected endpoint.

From there, the C2 can instruct the backdoor to install additional malware, run commands on the infected device, or order the backdoor to remove itself from the device. However, these last two instructions have not yet been implemented.

SysJoker C2 communication diagram
SysJoker C2 communication diagram
Source: Intezer

Although the Linux and macOS variants do not have a first-step dropper in the form of a DLL, they ultimately perform the same malicious behavior on the infected device.

Detection and prevention

Intezer provided comprehensive Indicators of Compromise (IOC) in their report that administrators can use to detect the presence of SysJoker on an infected device.

Below we have described some of the IOCs for each operating system.

Under Windows, The malicious files are located in the “C: ProgramData RecoverySystem” folder, in C: ProgramData SystemData igfxCUIService.exe and C: ProgramData SystemData microsoft_Windows.dll. For persistence, the malware creates an Autorun “Run” value of “igfxCUIService” which launches the malware executable igfxCUIService.exe.

Under linux, files and directories are created under “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem).

On macOS, files are created on “/ Library /” and persistence is obtained via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist.

The C2 domains shared in the Intezer report are:

  • https[://]bookitlab[.]technology
  • https[://]winaudio-tools[.]com
  • https[://]graphics update[.]com
  • https[://]github[.]url-mini[.]com
  • https[://]office360-update[.]com
  • https[://]to drive[.]Google[.]com / uc? export = download & id = 1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn
  • https[://]to drive[.]Google[.]com / uc? export = download & id = 1W64PQQxrwY3XjBnv_QaeBQu-ePr537eu

If you find that you have been compromised by SysJoker, follow these three steps:

  1. Kill all malware related processes and manually remove files and corresponding persistence mechanism.
  2. Run a memory scanner to make sure all malicious files have been uprooted from the infected system.
  3. Check for potential entry points, check firewall configurations, and update all software tools to the latest version available.

Comments are closed.