Windows, Linux and macOS users are in the crosshairs of SysJoker: the cross-platform malware has been active since the second half of last year and exploits a backdoor to establish initial access on the target machine. Here are all the details and how to defend yourself

A new C++-based cross-platform malware called SysJoker has been announced that is targeting Windows, Linux and macOS with the ability to evade detection systems on all three operating systems.

The cyber espionage campaign dates back to the second half of last year and was detected by security researchers Avigayil Mechtinger, Ryan Robinson and Nicole Fishbein of Intezer.

SysJoker’s behavior is similar for all three operating systems, and there are small differences depending on the operating system. The infection occurs disguised as a system update. On the Window version it is done by running the style-loader.ts.dll library on npm, which downloads the msg.zipper file from a GitHub repository, unzips it and runs it on the path “C:/ProgramData/RecoverySystem/”. All these actions are done through PowerShell commands.

How SysJoker works?

SysJoker will remain idle for several minutes before and afterwards it will create a new directory C:/ProgramData/SystemData/ and copy itself to this directory, masquerading as Intel Graphics Common User Interface Service (igfxCUIService.exe). Next, SysJoker will collect information about the compromised machine, such as MAC address, IP address, serial number, and user name. SysJoker will create persistence by adding a registry entry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Between each of the above steps, the malware is silent for a random duration.

Then SysJoker will start its communication with the Command&Contron(C&C) server. The connection to the C&C is established by decoding a string from a text file called domain.txt which is usually available on Google Drive.

Where is SysJoker stored?

In Windows, malware files are located in the folder:

C://ProgramDataRecoverySystem
C:// ProgramDataSystemDataigfxCUIService.exe
C:// ProgramDataSystemDatamicrosoft_Windows.dll. For persistence, the malware creates an auto-run igfxCUIService value that starts the malware executable igfxCUIService.exe

Linux
The files and directories are created in /.Library/ while persistence is established by creating the following cron process

MacOs
files are created at //Library/ and persistence is achieved via LaunchAgent at the path: /Library/LaunchAgents/com.apple.update.plist.