AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.
The new “SysJoker” backdoor can attack multiple operating systems, including macOS, Windows, and Linux.
On January 11, researchers from Intezer revealed that they had found SysJoker, a backdoor originally discovered attacking Linux. Soon after, variants of the same backdoor were discovered after Windows and macOS.
The finding is unusual, as it is rare to find malicious code capable of attacking multiple platforms at once. Typically, malware is produced to attack a specific vulnerability on a single platform, rather than being produced in the same way for multiple platforms simultaneously.
According to researchers in a technical analysis, SysJoker was launched in an attack in the second half of 2021. Security researcher Patrick Wardle performed the analysis for the macOS variant, while Intezer focused on the Windows version.
The code happens to be a universal binary covering both Intel and arm64 versions, which means it can run on Apple Silicon as well as older Macs with Intel chips. The code is signed, but with an ad-hoc signature.
When first run, the software copies itself to the user’s library as an update for macOS, which is used to persist on the infected system.
After being executed, the malware then attempts to download a file from a Google Drive account and is able to extract and run an executable, based on commands from a designated control server. Other commands include unpacking a downloaded executable and changing the permissions of the unpacked executable to allow it to run.
Analysis of Windows indicates that it works in much the same way, namely impersonating an update, contacting a remote server to download a payload and receiving other commands, and executing code on the system target.
It seems that the backdoor is starting to be flagged by antivirus engines, after being identified by researchers.
As for its objective, Intezer has not witnessed a second step or command sent by the attacker, indicating that it has a very specific objective, and therefore likely to come from an “actor advanced”. The goal is thought to be “espionage”, although there is the possibility that ransomware attacks may be carried out as a follow-up step.
SysJoker detection
Intezer has published a list of indicators indicating that a system has been attacked, including the files created and the LaunchAgent which allows the code to persist.
Files and directories created by SysJoker include:
- /Library/MacOsServices
- /Library/MacOsServices/updateMacOs
- /Library/SystemNetwork
- /Library/LaunchAgents/com.apple.update.plist
The persistence code is located under LibraryLaunchAgents/com.apple.update.plist path. If the files are on a Mac, it is advised to kill all associated processes and delete the files.
It is unknown how a user can become a victim of SysJoker at present.
