SysJoker – A New Multi-Platform Backdoor Malware Targeting Microsoft, Mac, and Linux Systems

A new, multi-platform backdoor malware was discovered in December 2021, targeting Windows, Linux, and Mac systems. The backdoor has been named SysJoker and remains undetected by VirusTotal in Mac and Linux. 

 The malware was initially discovered by Intezer during an active attack on a Linux-based web server of a reputable educational institution. 

LIFARS Managed Threat Hunting and Response Service (MTH&R) was designed to help customers uncover adversaries across your Endpoint, Network and SIEM data. Our elite team has decades of combined experience working within their Governmental CSIRT responding and hunting for adversaries from 100’s of attacks, including Ransomware and APT’s. 

 How Does It Work? 

 In short, SysJoker works by establishing initial access to a machine and then waiting for additional code to execute to assume full control. However, it’s a little more complicated than that, primarily because the malware works differently on each operating system. 

 SysJoker masquerades as a system update, but once it penetrates the victim’s machine, it gathers information such as IP addresses and usernames, with its main goal being to spy on the victim. 

 The malware can stay on the compromised system even after a reboot, and since it communicates with a command and control (C2) server, it’s able to run new code and cause more damage. 

 SysJoker generates its C2 by decoding a string from a text file found in Google Drive. The Intezer investigation discovered that the C2 changed three times, which means that the attacker was actively monitoring the system. 

 The initial infection can happen in different ways. For Windows, it starts with a first-stage dropper in the form of DLL, which downloads the SysJoker zip from Github through PowerShell, unzips it via “C: ProgramDataRecoverySystem” and executes the payload. 

In macOS systems, the initial infection comes from a file named types-config.ts, which is a universal Mach-O binary masquerading as a MPEG transport script video file or Typescript. The file is infectious and designed to spread across Macs with Intel or Apple Silicon chipsets. 

 After it establishes itself in the system, SysJoker is able to run additional code and commands that can move further into the network and carry out attacks. 

 How to Protect Yourself 

Third-party antivirus software, or built-in threat mitigation features from Apple, Microsoft, or Linux can do little to stop this type of threat as it’s hard to detect.  

 To detect this malware, you can use a memory scanner to check whether there have been any unauthorized changes to your system’s code. 

 If you detect SysJoker in your system, take the following steps: 

  • Close all processes related to SysJoker, and delete all files associated with it. 
  • Run the memory scanner to make sure the machine is clean. 
  • Check the entry point of the malware to prevent future breaches. Things to look out for are the software versions used and password complexity.