A newly discovered form of malware, called SysJoker poses a threat to the top three operating systems: Windows, Linux, and macOS. If exploited correctly SysJoker provides attackers with full access to compromised systems.
The malware was discovered by Intezer, a New York-based cybersecurity company. They found the malware while triaging an active attack last December.
According to research done by Intezer, the malware pretends to be a system update and generates its Command and Control (C2) by decoding a string retrieved from a text file hosted on Google Drive. Intezer saw the C2 change three times while investigating it, leading them to believe the attacker behind SysJoker is actively monitoring for infected devices.
You can read more about SysJoker at the link posted above or by clicking here: https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
How do you beat SysJoker?
So far, outside of using Intezer’s detection product, “Intezer Protect,” we’re unsure. For Linux machines, there’s a free community edition that’ll do the job.
For Windows machines, they recommend their own Endpoint Scanning tool, which of course, is hidden behind a paywall. To use it you’ll have to sign up for a free trial. Security7 doesn’t know much about Intezer in general so as of right now we don’t recommend you do it.
Otherwise, you can follow these key steps via the use of memory scanners, endpoint detection, and response (EDR) platforms, as well as security information and event management (SIEM) platforms:
- Kill the processes related to SysJoker, delete the relevant persistence mechanism, and all files related to SysJoker.
- Make sure that the infected machine is clean by running a memory scanner.
- Investigate the initial entry point of the malware. If a server was infected with SysJoker during the course of this investigation, check:
- Configuration status and password complexity for publicly facing services, and
- Used software versions and possible known exploits.
Other than that, it’s all we know. There’s plenty of information in the linked blog post that can help you along the path. Beyond that, we’ll keep you informed here on the blog as new information becomes available.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.