Researchers at Intezer are credited with discovering the malware in the wild in December of 2021 during an investigation of an attack on a Linux server.  The group was able to obtain samples of the virus for analysis and have concluded that SysJoker is a nasty piece of work indeed.

Written in C++, the malware strain is cunningly constructed to evade detection on all three Operating Systems.  In fact, it's so good at evading detection that none of the 57 antivirus programs the Intezer researchers tested were able to detect the presence of the malware.

SysJoker is harmless by itself but that is by design.  It is a first-stage dropper and its only job is to gain a foothold in a target network.

Once there it will sleep for two minutes before creating a new directory and then copy itself to that directory all while disguised as an Intel Graphics Common User Interface Service ("igfxCUIService.exe").

According to the Intezer report, this is what happens next:

"...SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands," explains Intezer's report.

These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named "microsoft_Windows.dll"."

When that is done, the malware creates persistence by adding a new registry key (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun). Random sleep times are interposed between all functions leading to this point.

Finally, it will reach out to the actor-controlled command and control server using a hardcoded Google Drive link.  Once that connection has been established, the hackers can install whatever payload they wish onto the infected system.

None of the major AV programs can detect SysJoker at present. Given that it can infect Windows, Mac and Linux systems, this is one to keep a watchful eye out for.

Used with permission from Article Aggregator