HomeUpdateThe ongoing espionage campaign has a new cross-platform background “SysJoker”.

The ongoing espionage campaign has a new cross-platform background “SysJoker”.


Last Updated on 12/01/2022 by Nidhi Khandelwal

As part of an ongoing espionage campaign that began in the second half of 2021, a new cross-platform backdoor known as “SysJoker” has been discovered targeting workstations running Windows, Linux, and macOS operating systems.

The ongoing espionage campaign has a new cross-platform background “SysJoker”. 1

Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein wrote in a technical write-up advertising their results, “SysJoker poses as a system update and builds its [command-and-control server] by decoding a string received from a text file housed on Google Drive.” “We believe SysJoker is after certain targets based on victimology and virus behavior.”

The implant was initially identified in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution, according to the Israeli cybersecurity firm, which attributed the activity to an advanced threat actor.

SysJoker is a C++-based malware that is distributed by a dropper file from a remote server and is designed to collect information about the compromised host, such as the MAC address, user name, physical media serial number, and IP address, which is then encoded and sent back to the server.

The ongoing espionage campaign has a new cross-platform background “SysJoker”. 2

Furthermore, connections to the attacker-controlled server are established by extracting the domain’s URL from a hard-coded Google Drive link that hosts a text file (“domain.txt”), allowing the server to relay instructions to the machine, allowing the malware to run arbitrary commands and executables, and then beamed back the results.

“The fact that the code was created from scratch and hasn’t been seen previously in other attacks [and] we haven’t seen a second stage or instruction delivered from the attacker […] shows that the attack is specific,” the researchers wrote.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

RAT (Remote Access Trojan) Developer arrested for building malware that affected...

Law enforcement authorities have arrested a remote access trojan (RAT) developer for infecting around 10,000 computers with malware. The suspect, who has not been...