New Year, fresh start! And for threat actors as well. Meet a brand-new backdoor malware that has been increasingly hitting the cyber domain throughout the last couple of months. Dubbed SysJoker, the threat obtains powerful evasion capabilities while being able to target major operating systems, including Windows, Linux, and macOS.

SysJoker Malware Analysis

SysJocker malware was first spotted in December 2021, while security experts at Intezer were investigating an attack against a Linux-based server of an unnamed educational institution. SysJoker analysis reveals that the new threat is allegedly used for cyber-espionage and second-stage payloads delivery. The malware is able to provide backdoor access into Linux, macOS, and Windows systems, granting its maintainers the ability to run commands, download and upload files. 

Although written from scratch for the major OS, SysJoker shows similar behavior across all major platforms. Upon gaining the initial foothold on the targeted instance, the backdoor is able to collect system data, gain persistence, and communicate to the command-and-control (C&C) server under attackers’ control. Depending on the instructions received from SysLoker operators via the C&C server, the threat can drop and run malicious payloads as well as run additional commands. Notably, researchers identified that SysJoker maintains support for two previously unimplemented commands, supposedly meant for self-deletion.

Security experts suggest that SysJoker was developed by highly-sophisticated adversaries since the new malware has no code overlap with any other existing threat, obtains impressive evasion capabilities, and is used in targeted attacks exclusively. Moreover, SysJoker’s code is developed from scratch for all targeted operating systems. 

Attack Kill Chain and Malicious Capabilities

Intezer warns that SysJoker, when targeting macOS and Linux systems, is disguised as a system update. For Windows instances, operators use another trick, disguising the threat as an Intel driver. Notably, the names of the fake drivers are rather generic, with the majority of them being pushed as “updateMacOS”, “updateSystem,” etc.

Upon the initial infection, SysJoker starts to gather system and network data through Living off the Land (LotL) commands. The data is then logged and immediately transferred to the C&C server. At the next stage, the malware boosts its position, adding new entries to a registry key. Finally, the malware connects to the attackers’ C&C server using a hardcoded Google Drive link to receive additional instructions. 

SysJoker started to be actively leveraged by adversaries in the second half of 2021, with malware operators being particularly attentive while choosing their victims. In fact, a small number of SysJoker samples were detected in the wild, pointing to the targeted nature of the campaigns.  

On the other hand, the malware was flying under the radar for nearly half a year due to its evasive capabilities. Particularly, threat actors have put a lot of effort into obfuscating dedicated C&C server domains. The domains are dynamically fetched from a Google Drive link making it easy to update the address. Furthermore, the traffic to Google drive is usually not considered suspicious in a network.

Detecting SysJoker Backdoor Malware

As this new stealthy SysJoker malware is paving the path to compromising machines that run on macOS, Windows, and Linux, it is time to efficiently power up against this multi-platform backdoor. To identify possible attacks, opt for downloading a set of free Sigma rules from the SOC Prime Team that detect behavior patterns of SysJoker backdoor.

SysJoker Backdoor C2 (via proxy)

SysJoker Backdoor C2 (via dns)

SysJoker Windows Backdoor Detection Patterns (via cmdline)

SysJoker Windows Backdoor Detection Patterns (via file_event)

SysJoker MacOS Backdoor Detection Patterns (via file_event)

SysJoker Linux Backdoor Detection Patterns (via file_event)

These detections have translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, LimaCharlie, SentinelOne, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, Carbon Black, Sysmon, Qualys, Securonix, and Open Distro.

The full list of detections in the Threat Detection Marketplace repository of the SOC Prime platform is available here.

Eager to hunt for the latest threats, automate threat investigation, and get feedback and vetting by 20,000+ community of security professionals? Join SOC Prime, the world’s first platform for collaborative cyber defense, threat hunting, and discovery that integrates with 20+ SIEM, EDR, XDR platforms. Make your threat detection easier, faster, and simpler. Got high-flying ambitions in cybersecurity? Join our Threat Bounty program, develop your own Sigma rules, and get recurrent rewards for your valuable contribution!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts