Researchers have discovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that went undetected by virtually all malware scanning engines.
Researchers at security firm Intezer said they discovered SysJoker, the name given to the backdoor, on a “leading educational institution’s” Linux-based web server. As the researchers dug deeper, they also found versions of SysJoker for Windows and macOS. They suspect that cross-platform malware was unleashed in the second half of last year.
The discovery is significant for several reasons. First of all, fully cross-platform malware is a rarity, as most malware is written for a specific operating system. The backdoor was also written from scratch and used four separate command and control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for never-before-seen Linux malware to be found in a real-world attack.
Meanwhile, Wardle said the .ts extension may indicate that the file is masquerading as video transport stream content. He also discovered that the macOS file was digitally signed, albeit with an ad-hoc signature.
SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions had not been fully detected on the VirusTotal malware search engine. The backdoor generates its control server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers analyzed it, the server changed three times, indicating that the attacker was active and monitoring the infected machines.
Based on the organizations targeted and the behavior of the malware, Intezer’s assessment is that SysJoker is pursuing specific targets, most likely aiming for “espionage coupled with lateral movement that could also lead to a ransomware attack as one of the next steps”.