Custom-written malware discovered across Windows, macOS, and Linux systems

Jimmy2x

Posts: 84   +8
Staff
Why it matters: In December 2021, the security team at Intezer identified custom-written malware on a leading educational institution's Linux web server. The malware, since named SysJoker, was later discovered to also have Mac and Windows-based variations, increasing its ability to infect desired systems. The macOS and Linux variations are currently undetectable by most antivirus products and scanners.

The custom-written, C++ based remote access trojan (RAT) that went completely undetected for several months may have been released around mid to late 2021. Named SysJoker by Intezer's security team, the program conceals itself as a system update within the target's OS environment. Each variation of the malware is tailored to the operating system it targets, many of which have proven to be difficult or impossible to detect. According to VirusTotal, an antivirus and scan engine aggregator, the macOS and Linux versions of the program are still undetectable.

The RAT's behavior is similar across all of the impacted operating systems. Once executed, it creates and copies itself to a specific directory masquerading as Intel's Graphics Common User Interface Service, igfxCUIService.exe. After several other actions are executed, the program will begin collecting machine information such as the MAC address, serial numbers, and IP addresses.

Intezer's blog post provides a fully detailed explanation of the malware's behavior, decoding and encoding schemes, and command and control (C2) instructions.

The blog provides readers with detection and response steps that can be followed to determine if your organization was compromised and what next steps to take. Intezer Protect can be used to scan for malicious code on Linux-based systems. The company provides a free community edition of the product to conduct scans. Windows systems are advised to use Intezer's endpoint scanner. Owners of compromised systems are advised to:

  • Kill the processes related to SysJoker and delete the relevant persistence mechanism and all files related to SysJoker
  • Run a memory scan on the infected machine
  • Investigate the initial entry point of the malware
  • If a server was infected with SysJoker, in the course of this investigation, check:
  • Check the configuration status and password complexity for publicly facing services on infected servers
  • Check software versions and known exploits affecting infected servers

Analysis of the organizations targeted, and the RAT's designed behavior, leads researchers to believe SysJoker is the work of an advanced threat actor targeting specific organizations for the purpose of espionage and potentially ransomware attacks.

Permalink to story.

 

3volv3d

Posts: 424   +220
Well, if you want to do something properly, why copy and paste a whole load of someone else's code, that has already been found, analysed, and easy to pick up?

Is that the going trait for hackers, to do a copy paste thing?

I was told it was rather easy to change code so that the signature/ heuristics were no longer recognisable to the AV. Hence why I have always considered them to be pretty much useless. I mean they keep the regular riff raff at bay I guess, but when Covid wants your PC, someone makes a slightly different variant, and that's that. You should have isolated more.

 

Kosmoz

Posts: 579   +1,061
advanced threat actor targeting specific organizations for the purpose of espionage and potentially ransomware attacks.
It's like we just discovered now that they are spying on each other and all of them on us, the population.... really?

Meh... 😒
 

thelatestmodel

Posts: 224   +188
For the second time this year, forcefully shutting off automatic updates has rendered useful results.

What a shocker.. 🤪

Not quite, the article says the malware "disguises" itself as an update file, not that it is delivered via the normal update mechanism. I wouldn't recommend not updating your OS, that's even more risky.
 

ZedRM

Posts: 948   +658
Not quite, the article says the malware "disguises" itself as an update file, not that it is delivered via the normal update mechanism. I wouldn't recommend not updating your OS, that's even more risky.
Seriously? It's called manual updating. I don't not apply updates, I just don't allow them automatically. You keep your recommendations to those who asked for them. And before anyone claims I'm being rude, this user making the remark they did assumed I was ignorant and don't know exactly what I'm doing. I consider THAT to be very rude.
 
Last edited:

BadThad

Posts: 997   +1,136
SCUM! Death penalty for haxors and malware writers! The only way to cut down the attacks is to make the penalty for getting caught more than a slap on the wrist. These aholes cause BILLIONS of dollars in damage every year, yet when they do get caught the penalty is minimal. There is little disincentive to hack and write malicious software when money is on the table and penalties are almost nil.
 

Gezzer

Posts: 250   +124
Malware scanners and security updates are all well and good, but I prefer going old school. Don't be an *****. It hasn't failed me yet.
So far every time I've had an issue it was first and foremost because I did something stupid/foolish. Be diligent and practice good habits and you'll be safe the majority of the time. Then keep good back ups for when a nuke from above is your only option.

It's very true that the only really secure computer is one that's air gaped, locked in a vault, and unplugged for good measure.