Security News > 2022 > January > New SysJoker Espionage Malware Targeting Windows, macOS, and Linux Users

A new cross-platform backdoor called "SysJoker" has been observed targeting machines running Windows, Linux, and macOS operating systems as part of an ongoing espionage campaign that's believed to have been initiated during the second half of 2021.

"SysJoker masquerades as a system update and generates its by decoding a string retrieved from a text file hosted on Google Drive," Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein noted in a technical write-up publicizing their findings.

"Based on victimology and malware's behavior, we assess that SysJoker is after specific targets."

The Israeli cybersecurity company, attributing the work to an advanced threat actor, said it first discovered evidence of the implant in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution.

A C++-based malware, SysJoker is delivered via a dropper file from a remote server that, upon execution, is engineered to gather information about the compromised host, such as MAC address, user name, physical media serial number, and IP address, all of which are encoded and transmitted back to the server.

What's more, connections to the attacker-controlled server are established by extracting the domain's URL from a hard-coded Google Drive link that hosts a text file, enabling the server to relay instructions to the machine that allow the malware to run arbitrary commands and executables, following which the results are beamed back.

News URL

https://thehackernews.com/2022/01/new-sysjoker-espionage-malware.html