The malware establishes initial access on targeted machines, then waits for additional code to execute.
A brand-new multiplatform malware, likely distributed via malicious npm packages, is spreading under the radar with Linux and Mac versions going fully undetected in VirusTotal, researchers warned.
The Windows version, according to a Tuesday writeup from Intezer, has only six detections as of this writing. These were uploaded to VirusTotal with the suffix “.ts,” which is used for TypeScript files.
Dubbed SysJoker by Intezer, the backdoor is used for establishing initial access on a target machine. Once installed, it can execute follow-on code as well as additional commands, through which malicious actors can carry out follow-on attacks or pivot to move further into a corporate network. This kind of initial access is also a hot commodity on underground cyberforums, where ransomware groups and others can purchase it.
It was first seen in December during a cyberattack on a Linux-based web server of a “leading educational institution,” researchers said. Looking at its command-and-control (C2) domain registration and other sample data, this trickster appears to have been cooked up in the second half of 2021, they added.
A possible attack vector for SysJoker