Malware That Was Custom-written Was Discovered On Windows, MacOS, And Linux Systems
Malware that was custom-written was discovered on Windows, macOS, and Linux systems
Intezer's security team discovered custom-written malware on the Linux web server of a prestigious educational institution in December 2021, according to the company's website. Following the discovery of Mac and Windows variants of the malware, which has been dubbed SysJoker, it was determined that the malware's ability to infect targeted systems had been enhanced. As of right now, the macOS and Linux versions of the malware are undetectable by the vast majority of antivirus software and scanners.
The custom-written, C++-based remote access trojan (RAT) that went completely undetected for several months is believed to have been released between mid- and late-2021, according to the latest estimates. The program, which Intezer's security team has dubbed SysJoker, pretends to be a system update within the target's operating system environment, according to the company. Each variant of the malware is tailored to a specific operating system, with many of these proving to be difficult or impossible to detect in the wild. On macOS and Linux, according to VirusTotal, an antivirus and scan engine aggregator, the program is still undetectable by antivirus software.
The behavior of the RAT
The behavior of the RAT is consistent across all of the operating systems that have been affected. Upon execution, it creates and copies itself to a specific directory as Intel's Graphics Common User Interface Service, igfxCUIService.exe, which is a subdirectory of the current directory. When all of the other tasks are completed, the program will begin collecting machine information, which includes the MAC address, serial number, and IP address.
A lengthy blog post by Intezer describes the malware's behavior, decoding and encoding schemes, as well as the malware's command and control (C2) instructions in great detail.
In this blog, readers are provided with detection and response procedures that they can use to determine whether or not their organization has been compromised, as well as what steps they should take next. Intezer Protect is a tool that can be used to scan for malicious code on Linux-based systems. The company provides a free community edition of the product that can be used to conduct scans. It is recommended that Windows users make use of the endpoint scanner provided by Intezer. In order to protect their systems, owners of compromised systems are advised to take the following precautions:
- Completely shut down and remove all SysJoker-related processes from the system. Additionally, remove the relevant persistence mechanism and any other SysJoker-related files.
- Run a memory scan on the computer that has been infected.
- Look into how the malware got into your system in the first place.
- If you discover that a server has been infected with SysJoker during this investigation, make sure to check
- Check the configuration status of publicly accessible services on infected servers, as well as the complexity of the passwords used to access them.
- Verify the software versions and exploits that have been identified as affecting infected servers.
SysJoker, according to researchers, is the work of an advanced threat actor who is targeting specific organizations for the purposes of espionage and, possibly, ransomware attacks, among other things.
