New "Undetected" Backdoor Runs Across Three OS Platforms
Security experts are warning of new backdoor malware designed to work across Windows, Mac and Linux, some versions of which are currently undetected in Virus Total.
Dubbed “SysJoker” by researchers at Intezer, the malware was discovered during an attack on a Linux web server running in an education sector organization. It’s believed to date back to the second half of 2021.
“SysJoker masquerades as a system update and generates its C2 [command and control] by decoding a string retrieved from a text file hosted on Google Drive,” the vendor explained in a blog post.
“During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.”
The malware is written in C++, with each sample customized for the OS it targets. Worryingly, the Linux and macOS versions were fully undetected in VirusTotal at the time of writing.
Aside from the Windows version containing a first-stage dropper, all three variants work the same. After execution, the malware sleeps for up to 120 seconds, then creates a directory and copies itself under this directory, pretending to