Malware masquerades as a system update on Windows, macOS, and Linux.
Malware is able to make its way on all three operating systems, Windows, macOS, and Linux. For several months, he managed to stay off the radar of various threat detection systems, software, and platforms. Eventually, researchers from Intezer, a New York-based computer security company, managed to uncover this multi-OS malware. They named it “Sysjoker”.
The Intezer investigation
SysJoker is a “backdoor” or “backdoor” program. It works in the background and therefore does not appear in the software in use. The hacker behind this program uses the backdoor to spy on a user. Thanks to it, he can manage his victim’s files, monitor all actions performed on the PC, or even install additional software or other malicious software. SysJoker has probably been raging since the second half of 2021.
Engineers first spotted SysJoker on a Linux web server attached to a school sometime in December. Following this discovery, they embarked on further investigation. It was therefore only after several months that the researchers-investigators spotted the backdoor on the Windows and macOS operating systems.
Almost invisible software
This threat is almost impossible to detect with so-called “traditional” antiviruses. Its particularity is to bypass detection software by posing as a system update.
To assess the malware’s invisibility capabilities, Intezer analyzed a sample of the malware across 70 antivirus programs using the VirusTotal software search engine. None managed to detect it on macOS and Linux and only six of them reported the Windows version.
Camouflage to the letter
On Windows, SysJoker takes the form of a DLL. It is a dynamic link library that provides most operating system functionality. Once this library is installed, it activates PowerShell commands. The same commands will make it possible to decompress SysJoker, then still in ZIP format, then execute it.
SysJoker then creates a new directory, “C:ProgramDataSystemData)” and camouflages itself under the name “igfxCUIService.exe”. This name refers to “Intel Graphics Common User Interface Service”, a software component that installs together with the drivers for Intel graphics cards. It is an integral part of the brand’s user interface. Once completely installed in the system, SysJoker can collect the necessary information to execute commands (exe, cmd, remove_reg and exit) and install other malware.
Going further, an Intezer blog post provides a detailed explanation of the malware’s behavior, decoding, and encoding schemes, and command and control instructions. The text provides readers with the steps to follow to determine if a system has been compromised.