A new multiplatform malware going fully undetected in VirusTotal.
SysJoker, the backdoor is used for establishing access on a target machine. Once installed, it can execute code as well as additional commands, through which malicious hackers can carry out different attacks or pivot to move further into other networks.
First this attack was discovered in December during a cyberattack on a Linux-based web server. When it’s command-and-control (C2) domain registration and other sample data was observed , it was analysed that this appears in the second half of 2021.
Possibly SysJoker uses an infected npm package. Npm and other public code repositories are developer communities where people can upload and download codes for building applications. If one of these codes is malicious, it can be pulled into any number of apps, and it will be ready to attack any users of those infected projects.
Once SysJoker finds a target, SysJoker acts as a system update. Then it generates its C2 by decoding a string which it has retrieved from a text file hosted on Google Drive.
SysJoker’s act is similar for all three operating systems, with the exception that the Windows version makes use of a first-stage dropper.
After execution on the system, SysJoker sleeps for an arbitrary amount of time, between a minute or two. Then, it will create the directory C:\ProgramData\SystemData\ and copy itself by using the file name "igfxCUIService.exe". It seems it will act as the Intel Graphics Common User Interface Service.
That application will gather system information like mac address, user name, physical media serial number and IP address and it will collect the data into a temporary text file.
Then These text files are deleted immediately after being stored in a JSON object and then it will encode and write to a file named microsoft_Windows.dll.
SysJoker Malware then establish additional strength by adding an entry to the registry key
Between each of these steps of infection SysJoker sleeps for a arbitrary period of time.
To make a connection with the C2, SysJoker Malware first decodes a hardcoded Google Drive link using a hardcoded XOR key. Then It uses the same key to encrypt information and sent back and forth to and from the C2.
Then Google Drive link will open a text file named domain.txt that holds an encoded C2 . Remember the address of C2 will change dynamically .The link decodes the C2 and sends the previously collected machine data over. The C2 then will reply with a unique token which will be used to ping the C2 for further instructions.
SysJoker can execute various commands, including exe, cmd, remove_reg , exit etc.
The exe command will be used for dropping and running an executable file.
After execution of the executable, the malware will reply successfully if the file was successfully installed or error & exception if not installed properly.
The cmd command will be used for running next-stage instructions received from the C2.
Even though VirusTotal can’t detect SysJoker, but We can do something from our side.
If it is detected, you can Terminate the processes related to SysJoker, delete all files related to SysJoker Malware. Clean the Machine with a Powerful Memory Scanner. Install softwares to your machine after checking for the exploits present regarding it.
Mr. Debraj Basak
Information Security Research Analyst
The recent pandemic was unexpected and unknown to most part of the world. It has changed our life and we are slowly adapting to our new lifestyle. The risks associated with the new lifestyle, both personal & corporate, are unknown to most of us.Read Details