SysJoker Backdoor malware discovered for macOS, Windows and Linux operating systems

SysJoker Backdoor, a new malware, was discovered on the internet and was discovered in December 2021 by the Intezer team.

SysJoker Backdoor can infect macOS, Windows and Linux machines. It was first disbanded while actively attacking a Linux web server of “a prominent educational institution”. Based on its Command and Control (C&C or C2) domain registration and samples, Intezer believes the attack began in the second half of 2021.

The SysJoker malware pretends to work as a system update and generates the C2 domain by decoding a string from a text file hosted on Google Drive. The Integer team said that during its analysis, the malware’s C2 changed three times, suggesting that the software was actively looking for machines to infect. The SysJoker backdoor also appears to target specific victims.

A sample of the malware was uploaded to VirusTotal, which allows security researchers to scan uploaded files and URLs for malware. The SysJoker backdoor malware is apparently written in C++ and can be adapted to macOS, Windows and Linux operating systems.

In order to locate malware on a computer, you can follow these steps:

  • For Linux machines: Use Intezer Protect to gain full execution visibility into the code of your Linux-based systems and be alerted to any malicious or unauthorized code. We have a free community edition.
  • For Windows Computers: Use Intezer’s endpoint scanner. The Endpoint Scanner will provide you with visibility into the type and origin of all binary codes that reside in your machine’s memory.

There doesn’t seem to be a detection method for Macs.

Intezer said he believes SysJoker is from an “advanced threat actor,” that its code was written from scratch, that at least four C2 domains have been registered, and that the malware is targeting specific victims. It’s unclear what the overall purpose of the software is or if it could lead to a ransomware attack somewhere down the line.

Stay tuned for more details as they become available.

Via Mac Observer, Intezer and VirusTotal

Comments are closed.