Home > Cyber News > SysJoker Backdoor Targets macOS, Windows and Linux Users
CYBER NEWS

SysJoker Backdoor Targets macOS, Windows and Linux Users

sysjoker malware
Security researchers reported a new backdoor capable of targeting Windows, macOS, and Linux operating systems.

SysJoker Backdoor Technical Overview

Called SysJoker, the multi-platform malware is currently not detected by any of the security engines in VirusTotal. SysJoker was discovered by Intezer researchers during an active attack on a Linux-based web server that belongs to a leading educational institution.




To propagate, the malware hides itself as a system update and generates its command-and-control by decoding a string retrieved from a text file hosted on Google Drive, Intezer’s report said. During their analysis, the command-and-control changed three time meaning that the attackers are active and monitoring the infection process. It seems that the attacks are rather specific.

The backdoor is coded in C++, with each sample tailored according to specific the operating system. It should be noted that currented both the macOS and Linux samples are fully undetected in VirusTotal. In terms of its malicious behavior, the malware shows similar capabilities on the three operating systems.

SysJoker collects specific system information, including the MAC address, user name, physical media serial number, and IP address. Then, it achieves persistence by adding an entry to the registry run key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The malware is also set to sleep between the different steps it performs.

“Based on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral movement which might also lead to a Ransomware attack as one of the next stages,” the report concluded.

ElectroRAT Is Another Example of Multi-Platform Malware

An older example of a multi-platform malware targeting Windows, macOS and Linux was detected by the same researchers in January last year. Called ElectroRAT, the malicious operation was quite elaborate in its mechanism, consisting of a marketing campaign, custom applications related to cryptocurrencies, and an entirely new Remote Access Tool (RAT).

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...