Threat: SysJoker (backdoor)
Intezer published an in-depth analysis into a new cross-platform backdoor that was discovered in the wild. Objective-See also published a macOS-specific analysis.
It appears to be a targeted attack.
Affects: SysJoker affects macOS, Linux, and Windows (both Intel and Apple Silicon) devices.
Detected by: Jamf Protect detects SysJoker as part of the PlistDisguisedAsApple analytic.
Prevented by: Jamf Protect prevents SysJoker from running through Jamf Threat Prevention as of 1/12/2022.
Jamf Threat Defense prevents communication with all known C2 servers as of 1/12/2022.
IOCs (as published by Intezer with some additions):
Detection Content
Mac
Files and directories created on the machine:
- /Library/MacOsServices
- /Library/MacOsServices/updateMacOs
- /Library/SystemNetwork
- /Library/LaunchAgents/com.apple.update.plist
Persistence: Creates persistence via LaunchAgent under the path /Library/LaunchAgents/com.apple.update.plist.
Content:
Linux
Files and directories created on the machine:
- /.Library/
- /.Library/SystemServices/updateSystem
- /.Library/SystemNetwork
- /.Library/log.txt
Persistence: Creates the cron job:
@reboot (/.Library/SystemServices/updateSystem)
Commands:
Windows
Files and directories created on the machine:
- C:\ProgramData\RecoverySystem
- C:\ProgramData\RecoverySystem\recoveryWindows.zip
- C:\ProgramData\RecoverySystem\msg.exe
- C:\ProgramData\SystemData
- C:\ProgramData\SystemData\igfxCUIService.exe
- C:\ProgramData\SystemData\tempo1.txt
- C:\ProgramData\SystemData\tempo2.txt
- C:\ProgramData\SystemData\tempi1.txt
- C:\ProgramData\SystemData\tempi2.txt
- C:\ProgramData\SystemData\temps1.txt
- C:\ProgramData\SystemData\temps2.txt
- C:\ProgramData\SystemData\tempu.txt
- C:\ProgramData\SystemData\microsoft_Windows.dll
Persistence: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name: igfxCUIService Type: REG_SZ Data: “C:\ProgramData\SystemData\igfxCUIService.exe”
Commands:
Don't joke around with your macOS enterprise security!
Trust Jamf Protect to keep your Mac fleet and sensitive data secured against existing and emerging threats.
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.