Backdoor for Windows, macOS, and Linux went undetected until now

The backdoor for Windows, macOS and Linux has not been detected so far

Researchers discovered a never-before-seen backdoor written from the ground up for systems running Windows, macOS, or Linux that went undetected by virtually all malware scanning engines.

Researchers from security firm Intezer said they discovered SysJoker – the name they gave the backdoor – on the Linux-based web server of a “leading educational institution”. As the researchers dug, they also found versions of SysJoker for Windows and macOS. They suspect the cross-platform malware was released in the second half of last year.

The discovery is important for several reasons. First, fully cross-platform malware is rather rare, with most malware being written for a specific operating system. The backdoor was also written from scratch and used four separate command and control servers, indicating that the people who developed and used it were part of an advanced threat actor who invested significant resources . It’s also unusual for unreleased Linux malware to be found in an actual attack.

Analysis of the Windows version (by Intezer) and the Mac version (by researcher Patrick Wardle) revealed that SysJoker provides advanced backdoor functionality. Executable files for Windows and macOS versions had the suffix .ts. Intezer said this could be an indication that the file masqueraded as a propagated type script application after being introduced to the npm JavaScript repository. Intezer went on to say that SysJoker is masquerading as a system update.

Wardle, meanwhile, said the .ts extension can indicate that the file is disguised as video transport stream content. He also discovered that the macOS file was digitally signed, but with an ad hoc signature.

SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were not detected at all on the VirusTotal malware search engine. The backdoor generates its controlling server domain by decoding a string extracted from a text file hosted on Google Drive. While the researchers were analyzing it, the server changed three times, indicating that the attacker was active and monitoring infected machines.

Based on the targeted organizations and malware behavior, Intezer’s assessment is that SysJoker is targeting specific targets, most likely for the purpose of “spying with a lateral movement which could also lead to a ransomware attack like the ‘one of the next steps’.

Leave a Comment