Why it matters: In December 2021, the security team at Intezer identified custom-written malware on a leading educational institution’s Linux web server. The malware, since named SysJoker, was later discovered to also have Mac and Windows-based variations, increasing its ability to infect desired systems. The macOS and Linux variations are currently undetectable by most antivirus products and scanners.
The custom-written, C++ based remote access trojan (RAT) that went completely undetected for several months may have been released around mid to late 2021. Named SysJoker by Intezer’s security team, the program conceals itself as a system update within the target’s OS environment. Each variation of the malware is tailored to the operating system it targets, many of which have proven to be difficult or impossible to detect. According to VirusTotal, an antivirus and scan engine aggregator, the macOS and Linux versions of the program are still undetectable.
The RAT’s behavior is similar across all of the impacted operating systems. Once executed, it creates and copies itself to a specific directory masquerading as Intel’s Graphics Common User Interface Service, igfxCUIService.exe. After several other actions are executed, the program will begin collecting machine information such as the MAC address, serial numbers, and IP addresses.
Intezer’s blog post provides a fully detailed explanation of the malware’s behavior, decoding and encoding schemes, and command and control (C2) instructions.
The blog provides readers with detection and response steps that can be followed to determine if your organization was compromised and what next steps to take. Intezer Protect can be used to scan for malicious code on Linux-based systems. The company provides a free community edition of the product to conduct scans. Windows systems are advised to use Intezer’s endpoint scanner. Owners of compromised systems are advised to:
- Kill the processes related to SysJoker and delete the relevant persistence mechanism and all files related to SysJoker
- Run a memory scan on the infected machine
- Investigate the initial entry point of the malware
- If a server was infected with SysJoker, in the course of this investigation, check:
- Check the configuration status and password complexity for publicly facing services on infected servers
- Check software versions and known exploits affecting infected servers
Analysis of the organizations targeted, and the RAT’s designed behavior, leads researchers to believe SysJoker is the work of an advanced threat actor targeting specific organizations for the purpose of espionage and potentially ransomware attacks.