SysJoker is a new backdoor malware that’s been discovered, which can apparently attack Windows, macOS, and Linux machines without being detected by the operating systems.

The malware was discovered after Intezer researchers, who first noticed its activity when they were probing an attack on a Linux web server back in December of 2021.

It is said that the initial uploads of the malware samples happened in H2 of 2021 on VirusTotal. The timeline aligns with the C2 domain registration logs.

Now, the detailed technical report on SysJoker has been released.

It’s said that the malware is written in C++. It cannot be detected on VirusTotal, despite having different variants custom-made of each respective operating system.


For those who are unfamiliar, VirusTotal is an online malware scanning website that utilizes 57 antivirus detection engines.

So, how does it operate? On Windows machines, SysJoker utilizes a first-stage dropper dressed as a DLL, which then uses PowerShell commands to work on the following: access a GitHub repository to get the SysJoker ZIP, then, unzip it on the “C:\ProgramData\RecoverySystem\” before executing the payload.

The malware will then lay low and sleep for up to 2 minutes, then, it will create a new directory to copy itself as an Intel Graphics Common User Interface Service.

Then, the Interezer report says that the “SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands,”

“These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named “microsoft_Windows.dll”.”, the researchers added.

The malware will then build persistence by creating a new registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run). Leading to this move, random sleep times are being interposed.

Next, it will use a hardcoded Google Drive link to reach out to the C2 server that’s being controlled by the actor.

To avoid being detected, the link hosts a domain.txt file, which is being updated regularly by the actors.

After a couple of steps, the C2 will have the power to install additional malware to the machine, run commands, or ask the backdoor to pull out itself from the machine.

Meanwhile, while the macOS and Linux variants don’t have the first-stage dropper step, they can be used to perform the same malicious behavior on affected machines.

Thankfully, there’s a way to detect and prevent the attacks, which has been detailed in the Intezer report.

Leave a comment

Your email address will not be published. Required fields are marked *