SysJoker Backdoor

A mostly undetected backdoor threat named SysJoker is threatening computers running Windows, Linux and the macOS. The malware was discovered by Intezer and, according to their findings, the Linux and macOS variants are undetectable completely, while the Windows one has an extremely low detection rate.

The first attack involving SysJoker took place in December 2021 and targeted a Linux webserver belonging to a 'leading educational institution.' The attackers can leverage the illicit access established through SysJoker in a variety of different ways. They can deploy additional threats to escalate the attack, seek new targets, or even sell the backdoor access to other cybercriminal groups.

Technical Details

The currently available data suggest that the initial attack vector of SysJoker could be through a threatening npm package. NPM stands for 'Node Package Manager, which is the default package manager when it comes to JavaScript's runtime Node.js. It also is one of the biggest online repositories for publishing open-source Node.js projects.

SysJoker's behavior is identical on Linux and macOS, while on Windows, the threat utilizes a dedicated first-stage dropper. Once inside the targeted device, the backdoor will first stay dormant for a random period, ranging between a minute and a half and two minutes. SysJoker will enter this inactive mode between each step of its nefarious programming.

The threat will create the C:\ProgramData\SystemData\ directory and copy itself there under the name 'igfxCUIService.exe,' an attempt to appear as the real Intel Graphics Common User Interface Service. A persistence mechanism will be established by injecting a new entry to the 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.'

The C2 Server and Commands

SysJoker will collect various information about the infected system. The harvested data may include the device's MAC address, IP address user name, and more. This fingerprinting data will be placed inside a temporary text file initially, then stored in a JSON object, and finally encoded and written inside a file named 'microsoft_Windows.dll.'

Before the data can be exfiltrated, SysJoker must retrieve the address of its Command-and-Control (C2, C&C) server. The first step in the process is decoding a hardcoded Google Drive link using an XOR key that also is hardcoded into the threat. The Drive link leads to a text file containing an encoded C2 address that changes dynamically. After establishing a successful connection and sending the collected information about the victim, SysJoker will wait for additional commands.

The threat is capable of recognizing multiple different commands but some ('remover_reg' and 'exit') are not fully implemented in current SysJoker versions. The two enabled commands are 'exe' and 'cmd.' Through the 'exe' command the attackers can instruct SysJoker to fetch and then execute additional corrupted executables. The incoming command will include the directory where the file should be dropped and its name. The 'cmd' command is responsible for receiving and then running arbitrary commands on the system.