A previously-undocumented malware has been uncovered by researchers. Called SysJoker, the backdoor is written in C++ and targets Windows, Linux, and Mac systems.
According to Intezer, the SysJoker malware was first spotted in December 2021.
The malware is uploaded to VirusTotal with the suffix .ts that is used for TypeScript files and is possibly distributed via an infected npm package.
However, it came under the lens of researchers during an investigation of an attack that targeted Linux-based servers of a leading education institution.
Researchers claim that the attackers behind SysJoker are pretty much active and infecting machines.
The development comes following the frequent changes observed in the C2 server used by the operators.
Furthermore, based on victimology and malware behavior, researchers assess that SysJoker is after specific targets.
Its behavior is similar for all three operating systems, with the exception of the use of a first-stage dropper in the Windows version.
Once it finds a target, SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.
It uses Living off the Land (LotL) commands to gather system information such as mac address, user names, physical media serial number, and IP address.
How to mitigate the attacks?
Users or admins can use memory scanners to detect SysJoker payload in memory. They can also use detection content to search Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) platforms. Ensuring that the systems are running the latest versions of software also helps prevent the spread of such attacks.