SysJoker Malware Threat Alert
Threat Name: SysJoker
Threat Type: Backdoor
On Tuesday January 11th, 2022, Intezer released a malware research report about a new malware they identified and named SysJoker. Intezer originally identified the SysJoker malware on a Linux system, an increasingly popular attack surface, and provided an in-depth malware analysis report of the behavior and function.
While investigating this malware, the Intezer team determined that the SysJoker malware was cross-system compatible and has versions to run on Windows, Mac and Linux which is highly uncommon. This malware pretends to be a system update and once installed, it reaches out to the malware’s C2 server which, as of now, is a google drive link for further compromise and instructions.
zvelo’s Detection & Coverage of SysJoker
Importantly, zvelo’s Malicious Detailed Detection Feed (MDDF) protects clients from this cross-platform attack as it enables you to block users from connecting to the malicious URL, preventing further compromise from the C2 domains.
- These SysJoker backdoor indicators were detected by zvelo’s MDDF in early December, in parallel to when the threat was being analyzed by Intezer, providing protection to our partners before this report was released.
- Existing callback sites and command and control (C2) nodes. Once MCAs exploit a system, they will look to establish connectivity via their existing malicious infrastructure. MDDF includes thousands of these related URLs spanning domains, full-paths, and IP addresses, providing extensive coverage.
zvelo’s Cybersecurity Team is constantly monitoring the latest Cyber Threat Intelligence (CTI) from sources around the world to validate that these current threats are part of our growing dataset. Please contact zvelo for more information on what to do if you have been impacted by the Sysjoker and other malware, or if you have questions about how to best protect your organization from similar threats in the future.