Researchers have found new backdoor malware coined “SysJoker,”. The malware exhibits tremendous diversity for target platforms. Since it can attack Windows, macOS, and Linux alike, the threat actors may use this malware for espionage.
SysJoker Backdoor Malware Targets Multiple Platforms
According to a recent post from Intezer, the SysJoker backdoor malware has been running active campaigns in the wild since last year.
The researchers first detected it in December 2021 when it attacked the Linux-based server of a known educational institute. However, analyzing the malware revealed that it can also target other major platforms like Windows and macOS (as Windows Pe and Mach-O versions, respectively).
Briefly, the malware authors have developed this C++ -based malware with precise tailoring to target different systems. SysJoker typically reaches a device posing as fake Intel driver updates (for Windows), or system updates (for Linux and macOS).
Once downloaded, the malware then plants backdoors in the target device with considerable ability to run remote commands. Also, an adversary can upload or download files via those backdoors.
Hence, the researchers believe that this explicit control makes it a potent espionage tool. Though, the hackers may also use it for malware attacks. For now, the researchers haven’t observed the second attack stage.
During our analysis, we haven’t witnessed a second stage or command sent from the attacker. This suggests that the attack is specific which usually fits for an advanced actor.
Besides, the attackers behind this malware changed the C&C server three times during the researchers’ analysis.
During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines.
Moreover, the researchers also noticed the malware aiming at specific targets, which further hints at espionage intentions.
Presently, SysJoker has managed to remain under the radar, as evident from its low to none detection rate on VirusTotal.
Nonetheless, Intezer recommends admins run memory scanners on machines if they suspect a SysJoker attack. Also, admins should vigilantly monitor their systems for vulnerable or unpatched software requiring immediate attention.
