SysJoker Backdoor, a new piece of malware, has been discovered on the Internet, and was discovered in December 2021 by the Intezer team.
SysJoker Backdoor can infect macOS, Windows, and Linux machines. It was first dissevered while it was actively attacking a Linux web server of “a leading educational institution.” Based on its Command and Control (C&C or C2) domain registration and samples, Intezer believes the attack started sometime during the second half of 2021.
The SysJoker malware pretends to function as a system update and generates the C2 domain by decoding a string from a text file hosted in Google Drive. The Integer team stated that during its analysis, the malware’s C2 changed three times, suggesting that the software is actively searching for machines to infect. The SysJoker backdoor also seems to target specific victims.
A sample of the malware was uploaded to VirusTotal, which allows security researchers to analyze uploaded files and URLs for malware. The SysJoker backdoor malware is apparently written in C++ and can be tailored for the macOS, Windows, and Linux operating systems.
In order to locate the malware on a computer, you can use the following steps:
- For Linux machines: Use Intezer Protect to gain full runtime visibility over the code in your Linux-based systems and get alerted on any malicious or unauthorized code. We have a free community edition.
- For Windows machines: Use Intezer’s Endpoint Scanner. The Endpoint Scanner will provide you with visibility into the type and origin of all binary code that resides in your machine’s memory.
There doesn’t appear to be a method of detection for Macs.
Intezer has stated that it believes SysJoker is from an “advanced threat actor,” that its code was written from scratch, that at least four C2 domains were registered, and that the malware targets specific victims. It’s unknown as to what the overall goal of the software is or if it could lead to a ransomware attack somewhere down the line.
Stay tuned for additional details as they become available.
Via The Mac Observer, Intezer, and VirusTotal