Dubbed “SysJoker” by researchers at Intezer, the malware was discovered during an attack on a Linux web server running in an education sector organization. It’s believed to date back to the second half of 2021.
“SysJoker masquerades as a system update and generates its C2 [command and control] by decoding a string retrieved from a text file hosted on Google Drive,” the vendor explained in a blog post.
“During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.”
The malware is written in C++, with each sample customized for the OS it targets. Worryingly, the Linux and macOS versions were fully undetected in VirusTotal at the time of writing.
Aside from the Windows version containing a first-stage dropper, all three variants work the same. After execution, the malware sleeps for up to 120 seconds, then creates a directory and copies itself under this directory, pretending to be an Intel graphics common user interface service executable.
It then covertly gathers information about the machine and achieves persistence, sleeping between these steps.
Communication with the C2 server is achieved by decoding a hardcoded Google Drive link containing a text file with an encoded C2.
The C2 might download additional malware or run other commands on the victim machine.
Intezer claimed there are several reasons why SysJoker may be the work of a sophisticated actor. It was written from scratch and hadn’t been seen before in other attacks in the wild – apparently a rarity for Linux malware.
The attacker registered at least four separate domains and wrote the malware for three discrete platforms.
“During our analysis, we haven’t witnessed a second stage or command sent from the attacker,” Intezer concluded. “This suggests that the attack is specific which usually fits for an advanced actor.