Beware of this malware that traps antivirus!

New malware has been discovered that attacks Windows, macOS, and Linux as well. The intruder was spotted in December on a web server Linux of an educational institution by cybersecurity researchers to enter. They named it SysJoker for its ability to masquerade as a system update in order to avoid detection.

Researchers submitted a sample of the malware to the VirusTotal site, which allows files to be scanned by more than 70 antivirus software. None succeeded in detecting the Linux and macOS versions. For the Windows version, only six antiviruses reported a problem.

Towards a ransom demand?

On Windows, SysJoker uses an “injector” (or dropper) in the form of a DLL library in order to enter the system. It is this one which will then install the malware strictly speaking. Once in place, it launches commands in Windows PowerShell to download the compressed (ZIP) folder containing the program, unzip it, and run it. Once started, SysJoker pauses for a random duration of 90 to 120 seconds. Then it creates the folder C: ProgramData SystemData and registers there under the name igfxCUIService.exe in order to impersonate the Intel graphics driver.

The program then connects to a Google Drive link to download a text file containing the address of the order servers and Control (C&C), which will send it instructions to install other malware or execute commands. According to the researchers, this file has been updated several times since they monitored it, showing that its author is still active. From his behavior, it appears that the malware targets specific targets. The researchers believe that its purpose is first to spy on its victims, and that the next step could be an attack of the type ransomware.