Researchers have uncovered a never-before-seen backdoor malware written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines.
Researchers from security firm Intezer said they discovered SysJoker—the name they gave the backdoor malware—on the Linux-based Webserver of a “leading educational institution.” As the researchers dug in, they found SysJoker versions for both Windows and macOS as well. They suspect the cross-platform RAT—short for remote access trojan—was unleashed in the second half of last year.
The discovery is significant for several reasons. First, fully cross-platform malware is something of a rarity, with most malicious software being written for one specific operating system. The RAT was also written from scratch and made use of four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for previously unseen Linux malware to be found in a real-world attack.
Analyses of the Windows version (by Intezer) and the version for Macs (by researcher Patrick Wardle) found that SysJoker provides advanced backdoor capabilities. Executable files for both the Windows and macOS versions had the suffix .ts. Intezer said that may be an indication the file masqueraded as a type script app spread after being sneaked into the npm JavaScript repository. Intezer went on to say that SysJoker masquerades as a system update.
Ultimately, Intezer was unable to definitively determine how the malware was installed. The theory it was installed either through a malicious npm package or alternately by using a false extension to disguise the malicious installer, would suggest the infections weren't the result of exploiting a vulnerability but rather tricking someone into installing.
Wardle, meanwhile, said the .ts extension may indicate the file masqueraded as video transport stream content. He also found that the macOS file was digitally signed, though with an ad-hoc signature.
SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were fully undetected on the VirusTotal malware search engine. The backdoor generates its control-server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers were analyzing it, the server changed three times, indicating the attacker was active and monitoring for infected machines.
Based on organizations targeted and the malware’s behavior, Intezer's assessment is that SysJoker is after specific targets, most likely with the goal of “espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages.”
Post updated on 1/16/2022 to make clear backdoor refers to malware and explicitly say it's unknown how it gets installed.
reader comments
147