“SysJoker” backdoor revealed after going undetected on Windows, Linux, and macOS for several months

Jason R. Wilson
SysJoker backdoor revealed after going undetected on Windows, Linux, and macOS for several months

A cross-platform malware attack was unearthed by researchers recently. The backdoor assault appeared on Windows, macOS, and Linux operating systems. This new malware was undetected on nearly every antivirus scan and malware scanning engine.

A new backdoor malware attack, SysJoker, was discovered, affecting all major operating systems

Researchers from Intezer, a security firm, uncovered a new backdoor malware, aptly named SysJoker, on a "leading educational institution" Linux-based Webserver. Upon further review, the security researchers also located the backdoor on macOS and Windows operating systems. It is estimated that The unknown party or parties set the attack into motion during the second half of 2021.

Related StoryJason R. Wilson
Your Copy of MSI Afterburner Could Be Bloated With Crypto Malware

SysJoker is a higher threat than most backdoor attacks in that it was capable of activating on multiple platforms. Malware is typically seen to attack a specific operating system and not several in this case. Also, The mysterious attacking party wrote this particular backdoor to use four individual command-and-control servers and written from the ground up. Researchers state that the individuals or groups who developed and implemented the attack were considered "part of an advanced threat actor that invested significant resources," states website Ars Technica. The website also points out that it is rare that Linux malware would be located "in a real-world attack."

Researcher Patrick Wardle, creator of Objective-See.com, and research firm Intezer were responsible for the analyses of Mac and Windows Operating systems, respectively. The two groups found that the SysJoker attack allows for advanced backdoor capabilities. The executable files located on both operating systems ended in the suffix ".ts," which led the Itezer team to deduce that the file was hidden as a "typescript" application, which transferred itself into the npm JavaScript repository. The firm also found that SysJoker appears as a system update for users.

Wardle disagreed with Intezer, stating that the ".ts" file extension indicated a video transport stream file content. He also discovered that an ad-hoc signature digitally signs the macOS file upon further review.

The programming language used to create SysJoker is C++. Since last Tuesday, mac OS and Linux versions have remained undetected from the malware search engine VirusTotal. The malware initiates its control-server domain by decoding a string from a text file buried in the user's Google Drive. Researchers found that the server rerouted multiple times, meaning the human controller was alert and searching for machines affected by SysJoker.

Intezer believes that targets of SysJoker are deliberate and that the attacking party is planning "espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages.”

Share this story