Last Updated on 12/01/2022 by Nidhi Khandelwal
As part of an ongoing espionage campaign that began in the second half of 2021, a new cross-platform backdoor known as “SysJoker” has been discovered targeting workstations running Windows, Linux, and macOS operating systems.
Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein wrote in a technical write-up advertising their results, “SysJoker poses as a system update and builds its [command-and-control server] by decoding a string received from a text file housed on Google Drive.” “We believe SysJoker is after certain targets based on victimology and virus behavior.”
The implant was initially identified in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution, according to the Israeli cybersecurity firm, which attributed the activity to an advanced threat actor.
SysJoker is a C++-based malware that is distributed by a dropper file from a remote server and is designed to collect information about the compromised host, such as the MAC address, user name, physical media serial number, and IP address, which is then encoded and sent back to the server.
Furthermore, connections to the attacker-controlled server are established by extracting the domain’s URL from a hard-coded Google Drive link that hosts a text file (“domain.txt”), allowing the server to relay instructions to the machine, allowing the malware to run arbitrary commands and executables, and then beamed back the results.
“The fact that the code was created from scratch and hasn’t been seen previously in other attacks [and] we haven’t seen a second stage or instruction delivered from the attacker […] shows that the attack is specific,” the researchers wrote.