Threat behavior
SysJoker is currently observed being distributed as part of an infected node package manager (NPM) but not limited to this technique.
The initial dropper masquerades as a legitimate file such as a TypeScript or multimedia stream file. Once on the device, it initializes and launches PowerShell commands to connect to the attacker’s domain and download the SysJoker payload.
The payload then launches and creates a folder and file under ProgramData, which appear as benign system files.
- C:\ProgramData\SystemData
- C:\ProgramData\SystemData\igfxCUIService.exe
To maintain persistence, the malware adds a registry entry to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
It then collects system information, including IP address, IP configuration, media access control (MAC) address, and saves this data as a JSON object in multiple log files.
- C:\ProgramData\SystemData\temp**.txt
- C:\ProgramData\SystemData\microsoft_windows.dll
The malware uses Google Drive to download a text file, containing the Base64-encoded C2 link. It then exfiltrates the collected data to the C2 server using cURL API.
Prevention
Guidance for end users
- Keep your operating system and antivirus products up to date.
Guidance for enterprise administrators
Apply these mitigations to reduce the impact of this threat.
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
- Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C2) activity, including mobile devices.
- Run the latest version of your operating system and applications. Deploy the latest security updates as soon as they become available.
- If you’re an Enterprise customer managing updates, select the detection build 1.355.1905.0 or newer for Windows, 86928 or newer for Mac and Linux, and deploy it across your environments.
