The SysJoker Backdoor is believed to have been active since the end of 2021, first discovered by Intezer researchers and believed to be attributed to an unknown APT group. First found targeting a server running the Linux operating system, it was later discovered that it has cross-platform capabilities (Windows,MacOS) being utilized for an undisclosed espionage campaign. Categorized as a backdoor abused for initial access on a victim’s system, what makes this malware formidable is its current state of being practically “undetectable” – this can be attributed to Sysjoker’s attack vector, which includes disguising itself as a system update on the different platforms. What also sets this variant apart from something commonly seen, which is due to the current “newness” and the unknowns in regards to threat actor and campaign this malware variant is worth observing and being prepared for.
Currently SysJoker has been observed attacking a “leading educational institution”, however due to its recent emergence and challenging to detect nature, other institutions/organizations can potentially materialize.
SysJoker has been observed masquerading as system updates (tailored to the target’s OS) as the initial method of delivery.
During installation, SysJoker has been observed to have the same behavior on all three operating systems (differences stemming on OS makeup). For example, with Windows it uses a first-stage dropper that pulls a zipped file of the payload – which then is executed and creates files/directories to copy into. It will then masquerade as a Intel Graphics Common User Interface Service and gather information on the machine via Living off the Land tools.
SysJoker has been observed to add the Intel Graphics Common User Interface Service to the Windows Run folder to achieve persistence. In terms of Linux, it creates a cron job pointing to the “updatesystem” file created in the attack chain. Finally in terms of MacOS, the variant abuses LaunchAgent masquerading as a apple launch service.
Sysjoker awaits commands form the C2 once the communication is established. The initiation is found after initial delivery of the malware, which can be observed when a string is decoded that is pulled form a text file being hosted on Google Drive. It is worth it to note that the C2 was observed to change multiple times, meaning that there most likely is an operator monitoring/sending commands.
The SysJoker Backdoor was discovered in late 2021 on a Linux-based server belonging to an institution in the Education industry, and was later identified as a cross-platform malware variant that is “undetectable” (currently on 1/11/2022). The undetectable nature of the variant can be accredited to the techiniques it utilizes when infecting a system. It exhibits similar behavior across the three operating systems but the Windows version being a bit different due to its make-up – furthermore, what makes it distinct, is that its tailored specifically for each operating system.
Where the variant’s behavior differs from Linux and Mac operating systems versus with Windows platforms, is the utilization of a first-stage dropper in the Windows version (d71e1a6ee83221f1ac7ed870bc272f01 which can be found on VirusTotal). The dropper than places Sysjoker on the system and executes it via PowerShell commands. After creating a “..\SystemData\” directory, it will masquerade as a “igfxCUIService.exe” service. This service gathers intel on the machine, which are encoded and sent back via C2 – additionally, persistence being achieved via registry run key. Also worth noting is the variant’s use of the Windows WMIC utility to execute commands. Alternatively, the behavior SysJoker has been observed to conduct on the Linux and Mac operating systems begin with a malicious NPM package. It is disguised as a benign system update and its C2 server is generated via a string pulled from Google Drive. This allows the server to remotely execute maliciously crafted commands – which includes additional executable files that are exfiltrated back to the source.