Why is this important: In December 2021, the Intezer security team identified custom-written malware on the Linux web server of a leading educational institution. The malware, since named SysJoker, was later discovered to have Mac and Windows variants as well, increasing its ability to infect desired systems. The macOS and Linux variants are currently undetectable by most antivirus products and scanners.
The custom-written, C++-based Remote Access Trojan (RAT), which went undetected for several months, may have been released in mid-to-late 2021. SysJokerComment by Intezer security team, the program conceals itself as a system update in the target’s operating system environment. Each variant of the malware is tailored to the operating system it targets, many of which have proven difficult or impossible to detect. According to VirusTotal, an antivirus aggregator and scanning engine, the macOS and Linux versions of the program are still undetectable.
The behavior of the RAT is similar on all affected operating systems. Once executed, it creates and copies itself to a specific directory masquerading as Intel’s common GUI service, igfxCUIService.exe. After performing several other actions, the program will start collecting machine information such as MAC address, serial numbers, and IP addresses.
Intezer’s blog post provides a detailed description explanation malware behavior, decoding and coding schemes, and command and control (C2) instructions.
The blog provides readers with detection and response steps that can be taken to determine if your organization has been compromised and what the next steps are. Intezer Protect can be used to search for malicious code on Linux based systems. The company provides afree community edition product for analysis. Windows systems are advised to use Intezer’s endpoint analyzer. Owners of compromised systems are urged to:
- Kill SysJoker related processes and remove relevant persistence mechanism and all SysJoker related files
- Run a memory scan on the infected machine
- Investigate the initial malware entry point
- If a server was infected with SysJoker during this investigation, check:
- Check configuration status and password complexity for utilities on infected servers
- Check software versions and known exploits affecting infected servers
Analysis of targeted organizations and the RAT’s designed behavior leads researchers to believe that SysJoker is the work of an advanced threat actor targeting specific organizations for espionage and potentially ransomware attacks.