This is a new strain of malware called SysJoker
It's especially dangerous because it can target Windows, Mac, or Linux systems. That makes it an equal opportunity strain.
Researchers at Intezer are credited with discovering malware in the wild in December of 2021 during an investigation of an attack on a Linux server. The group was able to obtain samples of the virus for analysis and concluded that SysJoker (more technical info on the malware) is a nasty piece of work indeed.
Written in C++, the malware strain is cunningly constructed to evade detection on all three Operating Systems. In fact, it's so good at evading detection that none of the 57 antivirus programs the Intezer researchers tested were able to detect the presence of the malware.
SysJoker is harmless by itself but that is by design. It is a first-stage dropper and its only job is to gain a foothold in a target network.
Once there it will sleep for two minutes before creating a new directory and then copy itself to that directory all while disguised as an Intel Graphics Common User Interface Service ("igfxCUIService.exe").
According to the Intezer report, this is what happens next
"...SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands," explains Intezer's report.
These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named "microsoft_Windows.dll"."
When that is done, the malware creates persistence by adding a new registry key (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun). Random sleep times are interposed between all functions leading to this point.
Finally, it will reach out to the actor-controlled command and control server using a hardcoded Google Drive link. Once that connection has been established, the hackers can install whatever payload they wish onto the infected system.
My perspective
None of the major AV programs can detect SysJoker at present. Given that it can infect Windows, Mac, and Linux systems, this is one to keep a watchful eye out for.
The Joker might say: "Why so serious?"
By Denis Wilson
Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.
For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.
Contact me if you would like me to speak to your association
