SysJoker Backdoor

by do son · Published · Updated

Malicious actors have been creating software for nefarious purposes since the early days of computers. Although the actual idea of machines (code) being created to damage other machines (computer systems) autonomously could be traced as far back as the early 1940s. Throughout the last 5 decades, these kinds of malicious software have been placed into various categories. They have been called: Viruses, Creepers, Trojans where the most recent in our history can be classified into Ransomware, Spyware, Adware, or Backdoors. Ultimately, all these examples belong to one family of software called Malware (Malicious Software).

One of the most recent examples of Backdoor malware detected in the wild is called SysJoker, which was discovered in December 2021 by the cybersecurity firm Intezer. Being backdoor malware, SysJoker allows malicious actors to gain access to an infected system through a network backdoor that has been conveniently established by the malware. 

Although it was originally believed that SysJoker was only able to target systems running a Linux-based operating system and configuration, it was soon discovered that this malware had other variants. These variants that were discovered were also able to infect systems and PCs running Microsoft Windows infrastructures as well as Macintosh platforms. This means that while most malware is engineered to target specific systems, SysJoker has variants of itself for the majority of operating systems in use today.

How dangerous is having your system infected by this malware?

Because backdoors open direct access to your pc and network system to malicious actors, these actors could then monitor any network traffic to and from your devices and potentially execute scripts and install any applications they would like to. This could inherently be utilized for detailed industrial espionage or even more nefarious ends like ransomware and denial of service attacks bringing an organization to its knees.

It, therefore, doesn’t matter whether this malware infects your personal computer or that of your organization, this malware will always have a toxic outcome. The scary part is that unless your threat detection regime includes an up-to-date adaptive signature analysis engine you might not even be aware that your device is infected.

How does this piece of malicious software work?

Traditional anti-malware tools compare incoming applications to existing libraries containing existing malware signatures. These signatures are the code patterns that make up various kinds of malware. Your antivirus software will then compare the new software and files to the signatures in the database, flagging potential malicious software based on these signatures. The problem that arose with SysJoker however was that it was uniquely developed to specifically avoid utilizing any existing malware code sets that exist. Because of this anti-malware software was not able to identify the backdoor application as being malicious for many months. 

In Windows environments, SysJoker was observed to behave randomly before its initial process of establishment. It starts by creating folder infrastructure for itself and then installing itself by masquerading as a device driver. After another random period, it would create windows registry keys to establish itself as an application that the operating system trusts.

SysJoker then collects data from the device and the network it is connected to and transmits this information to the malicious third party in an encrypted format. What is interesting about SysJoker though is that its source code revealed that it can be remotely instructed to perform various tasks, even uninstalling itself remotely from the host. This can also be typical of zero-click malware.

How can organizations guard against it?

Since SysJoker is a very new kind of malware and none of the existing anti-malware solutions will be able to flag it as malicious yet. Organizations need to be proactive and start by actively running memory scanners to identify the various payloads going through the system memory of their various systems. Alternatively, for Windows environments up to date endpoint scanners will be able to provide system engineers with enough information to establish the origin of incoming traffic and binary code. The endpoint scanner operates in memory and looks for code that might be out of the ordinary.

Since this risk does not broadcast its malicious intent from the moment your system first comes into contact with it, the risk might be underestimated by system administrators and engineers. The truth of the matter is that this backdoor can most definitely be utilized to deliver payloads that are much more violent and malevolent. Keeping your organization’s security compliance in check should always remain a well-established priority across all systems and environments.