Sysjoker Malware got you down? Jamf’s got you covered

Jamf Threat Labs updates Jamf Protect to completely prevent SysJoker from threatening the security of your macOS fleet.

January 13 2022 by

Matthias Wollnik

Threat: SysJoker (backdoor)

Intezer published an in-depth analysis into a new cross-platform backdoor that was discovered in the wild. Objective-See also published a macOS-specific analysis.

It appears to be a targeted attack.

Affects: SysJoker affects macOS, Linux, and Windows (both Intel and Apple Silicon) devices.

Detected by: Jamf Protect detects SysJoker as part of the PlistDisguisedAsApple analytic.

Prevented by: Jamf Protect prevents SysJoker from running through Jamf Threat Prevention as of 1/12/2022.

Jamf Threat Defense prevents communication with all known C2 servers as of 1/12/2022.

IOCs (as published by Intezer with some additions):

Detection Content

Mac

Files and directories created on the machine:

  • /Library/MacOsServices
  • /Library/MacOsServices/updateMacOs
  • /Library/SystemNetwork
  • /Library/LaunchAgents/com.apple.update.plist

Persistence: Creates persistence via LaunchAgent under the path /Library/LaunchAgents/com.apple.update.plist.

Content:

Linux

Files and directories created on the machine:

  • /.Library/
  • /.Library/SystemServices/updateSystem
  • /.Library/SystemNetwork
  • /.Library/log.txt

Persistence: Creates the cron job:

@reboot (/.Library/SystemServices/updateSystem)

Commands:

Windows

Files and directories created on the machine:

  • C:\ProgramData\RecoverySystem
  • C:\ProgramData\RecoverySystem\recoveryWindows.zip
  • C:\ProgramData\RecoverySystem\msg.exe
  • C:\ProgramData\SystemData
  • C:\ProgramData\SystemData\igfxCUIService.exe
  • C:\ProgramData\SystemData\tempo1.txt
  • C:\ProgramData\SystemData\tempo2.txt
  • C:\ProgramData\SystemData\tempi1.txt
  • C:\ProgramData\SystemData\tempi2.txt
  • C:\ProgramData\SystemData\temps1.txt
  • C:\ProgramData\SystemData\temps2.txt
  • C:\ProgramData\SystemData\tempu.txt
  • C:\ProgramData\SystemData\microsoft_Windows.dll

Persistence: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

Name: igfxCUIService Type: REG_SZ Data: “C:\ProgramData\SystemData\igfxCUIService.exe”

Commands:

Don't joke around with your macOS enterprise security!

Trust Jamf Protect to keep your Mac fleet and sensitive data secured against existing and emerging threats.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.