Windows, macOS, and Linux backdoors have never been detected

Researchers have discovered an unprecedented backdoor created from scratch for systems running Windows, macOS, or Linux. These backdoors were not detected by virtually all malware scanning engines.

Researcher at security company Intezer Said They discovered SysJoker (the name given to the backdoor) on a Linux-based web server from a “major educational institution.” Researchers digging deeper and found SysJoker versions of both Windows and macOS. They suspect that cross-platform malware was unleashed later last year.

This discovery is important for several reasons. First, completely cross-platform malware is rare, and most malicious software is written for a particular operating system. The backdoor was also created from scratch and used four separate command and control servers. This shows that the people who developed and used the backdoor are part of the advanced threat actors who have invested significant resources. In addition, it is rare that Linux malware that has never been seen before is found in a real attack.

Analysis of the Windows version (by Intezer) and the Mac version (by researcher Patrick Wardle) reveals that SysJoker offers advanced backdoor capabilities. Executable files in both Windows and macOS versions had the suffix .ts. Intezer said it could indicate that the file was spoofed. Typescript After infiltrating the npm JavaScript repository, the app spread. Intezer further said that SysJoker is pretending to be a system update.

On the other hand, according to Wardle, the .ts extension may indicate that the file is spoofed as follows: Video transport stream content. He also discovered that macOS files are digitally signed. Ad hoc signature..

SysJoker is written in C ++ and as of Tuesday, Linux and macOS versions have not been completely detected by the VirusTotal malware scan engine. The backdoor creates a control server domain by decoding a string obtained from a text file hosted in Google Drive. During the researcher’s analysis, the server was modified three times, indicating that the attacker was active and monitoring the infected machine.

Based on the targeted organization and the behavior of the malware, Intezer’s assessment is that SysJoker is targeting a specific target. Perhaps the goal is “there is espionage and lateral movement, which can lead to ransomware attacks as one of the next steps.” Windows, macOS, and Linux backdoors have never been detected

Back to top button