In the closing days of 2021, a new type of malware was discovered breaking into a Linux-based server. Worryingly, it was found to be undetectable by antivirus-scanning software and houses multiple forms — giving it the capability to infect Windows, macOS, and Linux operating systems. Dubbed SysJoker, this new piece of malware should be on everyone’s radar.
Charles Whitmore
Jan 21, 2022 · 3 min read
The most basic definition of SysJoker would be a backdoor. A backdoor is a method for unauthorized users to bypass certain security measures and gain access to a computer system.
Backdoors are often used by hackers and cybercriminals to sneak into a system and implement several types of nefarious activities. Such activities can include implementing ransomware, embedding keylogging software, injecting disruptive malware, and conducting unauthorized surveillance.
Typically, SysJoker behavior follows a similar pattern. It observes, logs, and reports specific information about whichever computer it’s infected. MAC addresses, usernames, and IP addresses are all at risk from SysJoker. The primary purpose of SysJoker seems to be surveillance and espionage.
When SysJoker was first discovered in late December of 2021, it was in the middle of attacking the web servers of a “leading educational institution.” While initially assumed to affect only Linux systems, Windows and macOS versions were soon discovered. According to Intezer, the security firm that made the discovery, the first attack may have been executed earlier in the year.
SysJoker can only be activated by the victim. The user has to download and install the software — which is disguised as a system update. This simple form of trickery further reinforces the danger behind socially engineered cyber attacks.
What separates SysJoker from other types of malware is how it seems to have been built from the ground up — it’s not based on any existing malware. In fact, the complexity of the malware, along with the fact that it’s connected to four different command-and-control servers, implies that significant resources have been devoted to creating this piece of malware. It isn’t from your typical, run-of-the-mill cybercriminal. Whoever created SysJoker knows their stuff.
The multiple command-and-control servers can continue to give it additions and instructions. SysJoker, with prompting from the control servers, can potentially become more potent or develop stronger capabilities as time passes.
Due to the very recent discovery of SysJoker, it is nigh undetectable by most virus-scanning software. Luckily, however, there are ways to detect if your system has been infected with this particularly persistent bug.
Users can run a memory scanner on their systems. While your standard antivirus suite won’t recognize the new piece of malware, a memory scanner can detect the SysJoker data payload. Once detected, it is key that you delete all new SysJoker files and to end all SysJoker-related processes.
After this step is complete, run a memory scan again to double check that all traces of SysJoker have been removed. Now that your systems have been cleansed, it’s time to figure out the entry point of the malware. Remember that SysJoker requires a user to download and install the file themselves.
The best way to prevent SysJoker from running amok across your network is to clue yourself in to basic cybersecurity etiquette. If you receive an email or message containing a suspicious link, don’t even entertain the idea of figuring out where it came from. Send it straight to the trash. Hackers rely on the naivety of unaware users.
SysJoker masquerades as a system update. So long as you haven’t downloaded anything from any suspicious websites or opened any odd links, then SysJoker has no way of getting to you. In addition, SysJoker was attacking an educational system and seems to have been created with quite the budget behind it. Therefore, whichever actors funded the project probably won’t be interested in duping the average user.
Knowledge is key. Hackers always prey on the naive and uninformed.