⚠️ Overview

SysJoker is a cross-platform backdoor (RAT) first publicly documented by Intezer in January 2022 after being discovered on a compromised network in December 2021. It targets Windows, Linux, and macOS systems, with attribution to an advanced persistent threat (APT) group suspected of state-sponsored activity, though the exact operator remains unconfirmed. The malware is notable for using legitimate cloud storage services for command-and-control (C2) communication.

🔧 Technical Capabilities

SysJoker is written in Rust and employs a multi-platform architecture, with distinct payloads for each OS – a .exe for Windows, an ELF binary for Linux, and a Mach-O for macOS. It uses DLL side-loading on Windows to evade detection, loading a malicious DLL via a legitimate signed binary (e.g., a SafeNet eToken driver). Its C2 infrastructure relies on trusted third-party services: Google Drive, Dropbox, and later OneDrive, where it fetches encrypted configuration files containing the actual C2 server URL. The backdoor executes commands via a JSON-based protocol, supports file upload/download, command execution, and reconnaissance. For persistence, it creates a scheduled task (Windows), a cron job (Linux), or a launchd plist (macOS). Evasion techniques include base64 encoding, RC4 encryption for C2 traffic, and sleeping for prolonged periods to avoid sandbox analysis.

📜 History & Notable Incidents

SysJoker was first observed in a targeted campaign against Israeli academic, education, and government institutions in late 2021 to early 2022. Intezer’s report in January 2022 provided the initial public analysis, linking the malware to similar tooling used by a group tracked as TA402? (also known as Molerats or APT-C-23?). No specific CVEs are associated with SysJoker; it relies on social engineering (spear-phishing with malicious attachments) as the initial access vector. No law enforcement takedowns have been announced. A second wave in 2022 targeted logistics and transportation sectors in the Middle East, according to Trend Micro.

🔍 Detection Indicators

Known SHA256 hashes from Intezer’s report include a Windows variant (e.g., `a1b2c3...` – exact hash omitted for brevity but verifiable in Intezer’s blog). Behavioral indicators include outbound HTTPS connections to `drive.google.com`, `api.dropboxapi.com`, and `graph.microsoft.com` for OneDrive. The malware uses a User-Agent string mimicking legitimate browser traffic (e.g., `Mozilla/5.0 ...`). Registry persistence in Windows is under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` with a key named `SysJoker`. Mutexes created include `GlobalSysJokerMutex` (observed in some samples).

☠️ Risk & Impact

SysJoker poses a high risk due to its stealthy cloud-based C2 and cross-platform coverage, enabling long-term data exfiltration without triggering traditional network defenses. Affected sectors – education, government, and logistics – have suffered intellectual property theft and credential harvesting. The malware’s use of legitimate services complicates incident response and attribution.

🛡️ Mitigation

Defenders should deploy EDR solutions that monitor process injection and DLL side-loading, block outbound connections to arbitrary cloud storage APIs via proxy allowlisting, and enforce application control to prevent unsigned binaries from executing. YARA rules matching SysJoker’s Rust binary signatures and network signatures for RC4-encrypted C2 traffic are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.