The first signs of SysJoker appeared in December 2021, when researchers at Intezer were investigating an attack on a Linux web server. This malware was written in C++ and each variant is specifically tailored for the operating system it attacks. VirtusTotal was unable to detect the malware, even using 57 different detection engines.

Once the malware has been deployed, it fetches the SysJoker zip file from GitHub, unpacks it, and executes the payload. The payload gathers information about the machine, stores and encodes the results in a JSON object, creates persistence, reaches out to a C2 server (using a hard-coded Google Drive link, where the server is instructed to install additional malware and run commands on the infected device.

Intezer has provided a list of indicators for SysJoker for each operating system. On Linux, the files and sub-directories are created under /.Library/ and persistence is created with the cronjob @reboot (/.Library/SystemServices/updateSystem) . If you discover such a cronjob, it's imperative that you kill all related processes, manually delete the files and cronjob, scan the system to ensure all malicious files have been removed, and check for any weakness that might have allowed the attackers access to your server.

Find out more about SysJoker in the original Intezer report.