Backdoor for Windows, macOS, and Linux went undetected until now

Backdoor for Windows, macOS and Linux went unnoticed until now

Researchers have discovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that went undetected by virtually all malware scanning engines.

Researchers at security firm Intezer said they discovered SysJoker, the name given to the backdoor, on a “leading educational institution’s” Linux-based web server. As the researchers dug deeper, they also found versions of SysJoker for Windows and macOS. They suspect that cross-platform malware was unleashed in the second half of last year.

The discovery is significant for several reasons. First of all, fully cross-platform malware is a rarity, as most malware is written for a specific operating system. The backdoor was also written from scratch and used four separate command and control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for never-before-seen Linux malware to be found in a real-world attack.

Analysis of the Windows version (by Intezer) and the Mac version (by researcher Patrick Wardle) found that SysJoker provides advanced backdoor capabilities. The executable files for the Windows and macOS versions had the .ts suffix. Intezer said that may be an indication that the file was masquerading as a script application of sorts that spread after sneaking into npm’s JavaScript repository. Intezer went on to say that SysJoker is masquerading as a system update.

Meanwhile, Wardle said the .ts extension may indicate that the file is masquerading as video transport stream content. He also discovered that the macOS file was digitally signed, albeit with an ad-hoc signature.

SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions had not been fully detected on the VirusTotal malware search engine. The backdoor generates its control server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers analyzed it, the server changed three times, indicating that the attacker was active and monitoring the infected machines.

Based on the organizations targeted and the behavior of the malware, Intezer’s assessment is that SysJoker is pursuing specific targets, most likely aiming for “espionage coupled with lateral movement that could also lead to a ransomware attack as one of the next steps”.

Leave a Comment