Malware is usually the constant concern of practically all users who use an electronic device. Are able to steal our personal data, access accounts to our subscriptions, hijack information from many companies and much more. Not all act in the same way, although we usually refer to them as viruses to describe any threat that endangers both our personal information and the proper functioning of our devices. The reality is that there are countless types of malware with different purposes.
Discovery of SysJoker
Researchers from the company Intezer security claim to have discovered a backdoor malware called SysJoker on the Linux-based web server of “a leading educational institution.” As the researchers dug deeper into the finding, they discovered that there were also versions of SysJoker on both Windows and macOS. It is suspected that the RAT (Remote Administration Tool) cross-platform was able to develop in the second half of last year.
This discovery is relevant for several reasons, first of all, a cross-platform malware It’s not very common, since most malware is usually written for a specific operating system. In this case the RAT was written from scratch and used four separate command and control servers. This aspect denotes that the people who developed it invested significant resources. On the other hand, it is also rare to find a linux malware never seen before.
https://www.youtube.com/watch?v=uXm2XNSavwo
Analysis of the version of Windows and macOS
Analysis of the Windows version by Interzer and the Mac version (by researcher Patrick Wardle) found that the malware provides advanced backdoor capabilities. The executable files on both operating systems had suffix .ts.
Intezer said that “that may be an indication that the file was masquerading as a script application of type that was propagated after sneaking into the npm JavaScript repository. Intezer went on to say that SysJoker pretends to be a system updateto”.
It has not yet been possible to determine how the malware was installed. There is a theory that it could have been installed through a npm package malicious or using a fake extension to camouflage the malicious installer. This would suggest that the infections were not the result of exploiting a vulnerability, but of tricking the user into installing.
Meanwhile, Patrick Wardle said that “the .ts extension may indicate that the file is masquerading as video transport stream content.” He also discovered that the macOS file was digitally signed, albeit with an ad-hoc signature.
SysJoker is written in C++ and, until now, the Linux and macOS versions had not been fully detected in the VirusTotal malware search engine. “The backdoor generates its control server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers analyzed it, the server changed three times, indicating that the attacker was active and monitoring the infected machines.”
According to the analysis and evaluation by Interzer, SysJoker could be after very specific targets with the aim of “espionage together with lateral movement that could also lead to a ransomware attack as one of the next stages.”