Home / About / Threat Intelligence / New SysJoker malware strain targets Windows, Linux, macOS

Overview

A new strain of malware has been discovered which targets Windows, Linux and macOS.
The researchers who discovered it report that it masquerades as a system update.
First discovered in December 2021, it appears to have been active from the second half of 2021 based on domain registrations and virus total submissions.

Impact

The initial stages of the malware grant an operator backdoor access to a network.
It was seen checking in with the command-and-control (C&C) servers for instructions but no further stages of interaction were observed during this time, so the full capabilities are not known.

Detection

The malware uses common persistence techniques which can be easily detected.

On Windows machines by using a registry key to execute a binary at startup.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name: igfxCUIService Type: REG_SZ Data: “C:\ProgramData\SystemData\igfxCUIService.exe”

On Linux devices, the malware creates a cron job to run on a schedule.
@reboot (/.Library/SystemServices/updateSystem)

On macOS it creates a LaunchAgent under the path /Library/LaunchAgents/com.apple.update.plist.

Indicators of Compromise

ELF
bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed
d028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3

Mac
1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac

Windows
61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc
1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c

C2
https[://]bookitlab[.]tech
https[://]winaudio-tools[.]com
https[://]graphic-updater[.]com
https[://]github[.]url-mini[.]com
https[://]office360-update[.]com

Threat Landscape

Based on victimology, the researchers assess that these are targeted attacks.

It’s rare for new strains of malware to be found in the wild, in particular for Linux.

The fact that this was written from scratch for each of the 3 most common operating systems suggests a well-resourced threat actor.

It’s more normal for crime groups to use off the shelf commodity malware.

Mitre Methodologies

[T1129] – Shared Modules
[T1573] – Encrypted Channel

Further Information

Intezer – New SysJoker Backdoor Targets Windows, Linux, and macOS

Bleeping Computer – New SysJoker backdoor targets Windows, macOS, and Linux