SysJoker backdoor is infecting Windows, Linux and macOS devices, researchers warn

[MMT]

The multi-platform malware is undetectable once a user's OS has been infected
Researchers at cyber security firm Intezer have uncovered a never-before-seen, multi-platform backdoor malware that is infecting devices running Linux, Windows, and macOS.

Dubbed SysJoker, this malware was first discovered in December 2021 when Intezer researchers were examining an active attack on a Linux-based web server of a leading educational institution.

After further investigation, the researchers found that SysJoker was capable of targeting multiple operating systems, including Windows, Linux and MacOS.

The discovery is unusual, as it is unusual for malware operatives to create malicious code that can target multiple platforms at the same time. Malware is often created to exploit a specific weakness in a single platform, rather than being created in a similar way to attack multiple platforms simultaneously.

According to researchers, SysJoker is particularly dangerous because it is extremely adept at escaping detection, having been designed to remain undetectable once a user's OS has been infected.

Based on Command and Control (C2) domain registration and samples detected in VirusTotal, the researchers believe that malware was first launched in an attack in the second half of 2021.

The macOS variant of the malware was examined by Patrick Wardle, while Intezer researchers focused on the Windows version.

Intezer research team noted in a blog post that SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. During the investigation, the C2 was changed three times, suggesting that the threat actor is active and monitoring for infected devices.

According to researchers, the malware generates a series of files and registry commands that enable it to install additional malware on infected device, execute commands, or instruct the backdoor to uninstall itself from the machine. The steps to achieve this vary depending on the operating system.

For example, the Windows variant features a first-stage dropper in the form of a DLL that doesn't exist for Linux and macOS, although end result is comparatively the same in each case.

The malware is written in C++, and each instance is customised for the specific OS it is designed to attack.

According to Intezer, the Windows version has just six detections so far. These were uploaded to VirusTotal with the file extension ".ts" which is used for TypeScript files. Both the Linux and macOS samples are completely undetectable so far.

The researcher also noted that an infected npm package might have been used as an attack vector for the malware.

Based on malware's behavior and victimology, the researchers believe that SysJoker is after specific targets, most likely with the goal of "espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages."

 

 

ARTICLE