New SysJoker Backdoor Malware Targets Windows, macOS, and Linux (17th January 2022)

Ref# AL2022_02 | Date: Jan 17th 2022

A new multi-platform backdoor malware (Sysjoker) was discovered in the wild affecting Windows, Linux, and macOS, while remaining rogue from being discovered on the three major operating software.


Intezer researchers Avigayil Mechtinger, Ryan Robison, and Nicole Fishbein in their article, highlighted that the Sysjoker masquerades itself as a system update and builds its command control server aka C2, through deciphering a string received from a text file housed on Google Drive. It is also believed that this type of malware is targeting persons based on victimology and virus activity

How it works

The Sysjocker malware, written in C++ programming language, operates by distributing a payload file via a remote server, which is designed to collect details about the victims computer, such as mac address, username, physical media, serial number, and IP addresses from which it is then encoded and sent back to the server.

More insightful, connections to the attacker-controlled server are established by retrieving the domains URL from a hard-coded Google Drive link that hosts a text file (domain.txt), which allows the server to redirect commands to the machine. This process allows the malware to operate arbitrary commands and exe files that transmit back the results.


To date, no patch for this vulnerability has been published, however, users are advised to follow the steps below:

  • Delete any malware-related programs and files, as well as the malware persistence mechanism, manually. This can be accomplished by running a signature-based detection, which is one of the most frequent methods for dealing with software risks. Once a match is found, the file is classified as a threat and is prevented from acting further.

  • Ensure all malicious files have been removed from the compromised system, by executing a memory scanner.

  • Examine all possible access points, check firewall settings and make sure all software tools are updated to the latest version. These checks aid in the detection of outdated firmware, which should be upgraded if found. Checking to evaluate if the firewall was set up correctly based on network usage.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New SysJoker Backdoor Malware Targets Windows macOS and Linux.pdf