Saturday, July 20, 2024

New SysJoker Espionage Malware Targeting Windows, macOS, and Linux Users

A new cross-platform backdoor called “SysJoker” has been observed targeting machines running Windows, Linux, and macOS operating systems as part of an ongoing espionage campaign that’s believed to have been initiated during the second half of 2021.

“SysJoker masquerades as a system update and generates its [command-and-control server] by decoding a string retrieved from a text file hosted on Google Drive,” Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein noted in a technical write-up publicizing their findings. “Based on victimology and malware’s behaviour, we assess that SysJoker is after specific targets.”

Sysjoker backdoor
Sysjoker backdoor

The Israeli cybersecurity company, attributing the work to an advanced threat actor, said it first discovered evidence of the implant in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution.

Sysjoker backdoor 2

A C++-based malware, SysJoker is delivered via a dropper file from a remote server that, upon execution, is engineered to gather information about the compromised host, such as MAC address, user name, physical media serial number, and IP address, all of which are encoded and transmitted back to the server.

What’s more, connections to the attacker-controlled server are established by extracting the domain’s URL from a hard-coded Google Drive link that hosts a text file (“domain.txt”), enabling the server to relay instructions to the machine that allow the malware to run arbitrary commands and executables, following which the results are beamed back.

“The fact that the code was written from scratch and hasn’t been seen before in other attacks [and] we haven’t witnessed a second stage or command sent from the attacker […] suggests that the attack is specific which usually fits for an advanced actor,” the researchers said.

Recommended:  Morgan Stanley fined $35M after unencrypted, unwiped hard drives are auctioned


We think you may enjoy reading,

Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates