Security researchers reported a new backdoor capable of targeting Windows, macOS, and Linux operating systems.
SysJoker Backdoor Technical Overview
Called SysJoker, the multi-platform malware is currently not detected by any of the security engines in VirusTotal. SysJoker was discovered by Intezer researchers during an active attack on a Linux-based web server that belongs to a leading educational institution.
To propagate, the malware hides itself as a system update and generates its command-and-control by decoding a string retrieved from a text file hosted on Google Drive, Intezer’s report said. During their analysis, the command-and-control changed three time meaning that the attackers are active and monitoring the infection process. It seems that the attacks are rather specific.
The backdoor is coded in C++, with each sample tailored according to specific the operating system. It should be noted that currented both the macOS and Linux samples are fully undetected in VirusTotal. In terms of its malicious behavior, the malware shows similar capabilities on the three operating systems.
SysJoker collects specific system information, including the MAC address, user name, physical media serial number, and IP address. Then, it achieves persistence by adding an entry to the registry run key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The malware is also set to sleep between the different steps it performs.
“Based on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral movement which might also lead to a Ransomware attack as one of the next stages,” the report concluded.
ElectroRAT Is Another Example of Multi-Platform Malware
An older example of a multi-platform malware targeting Windows, macOS and Linux was detected by the same researchers in January last year. Called ElectroRAT, the malicious operation was quite elaborate in its mechanism, consisting of a marketing campaign, custom applications related to cryptocurrencies, and an entirely new Remote Access Tool (RAT).