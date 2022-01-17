Security company Intezer has identified a malware-backdoornever seen before and completely built from scratch for operating systems Windows, macOS and Linux and which has never before been detected by any malware scanning engine.

Baptized SysJoker, the new malware was detected on the Linux web server of a “leading educational institution”. Digging into their findings, researchers found versions of SysJoker for both Windows and macOS and suspect cross-platform malware has been around since mid-2021.

This is a fairly significant discovery for a number of reasons. First of all cross-platform malwareThis is quite rare as most malware is written with a specific operating system in mind. Second, not least, it is malware built from scratch and that makes use of four separate C&C servers, which means that the hand behind SysJoker development is likely an advanced threat actor who can rely on substantial resources. And it remains unusual for unknown Linux malware to be detected in a real-world attack.

Intezer conducted an analysis of the Windows version, while Patrick Wardle, a well-known security researcher, analyzed the version for macOS. Both have found that SysJoker provides advanced backdoor functionality making it a full-fledged one RAT – Remote Access Tool. The executable files for both versions have a .ts suffix.

In the case of Windows, the .ts suffix could be used to pass malware as a script file. Intezer was unable to definitively determine how the malware may have been installed. It is possible, but not certain, that it was installed via a malicious npm package or by using a fake extension to hide the installer. It would suggest that the infections detected were not the result of the exploitation of a vulnerability, butoutcome of a social engineering action aimed at deceiving possible target users.

Wardle claims that the .ts extension in a macOS environment could be used to mask malware from video transport strea files. The researcher also found that the macOS version was digitally signed, albeit with an ad hoc signature.

SysJoker was written in C ++. The backdoor generates the control server address by decoding a string retrieved from a text file stored on Google Drive. Researchers, during the analysis phase, found that the C&C server changed three times, indicating the attacker’s actual activity in monitoring infected machines.

In the face of the organizations targeted and the behavior of the malware, Intezer believes SysJoker is a tool used for espionage purposes towards specific targets and “lateral movement” (ie penetration and movement within a network) with the possibility of persistence and subsequent ransomware attacks.