Cybersecurity researchers have uncovered a new form of malware that can create backdoors on Windows, Linux and macOS operating systems, providing hackers with full access to compromised systems.
The malware has been detailed by researchers at Intezer, who have named it SysJoker. It was discovered while they were investigating an attack against a Linux-based web server at an undisclosed educational institution in December. SysJoker wasn’t the malware behind the attack being investigated – but it was already present on the servers.
The nature of SysJoker and the way it’s designed to provide a backdoor into systems – with the ability to run commands, download and upload files – suggests the goal for those delivering it could be espionage, but it could also be utilised as a tool for delivering additional malware to compromised systems.
SEE: A winning strategy for cybersecurity (ZDNet special report)
“Based on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral movement that might also lead to a ransomware attack as one of the next stages,” Avigayil Mechtinger, cybersecurity researcher at Intezer, told ZDNet.
SysJoker compromises victim devices by masquerading as a system update for Linux and MacOS, while in the Windows version it masquerades as Intel drivers. It’s unclear how the phoney driver updates are delivered to victims, but the nature of the updates means that users are likely to follow the instructions to install them.
Researchers note that the names of the update names like “updateMacOs” and “updateSystem” are relatively generic, which is something that could potentially arouse suspicion.
Based on analysis of SysJoker, the malware started being actively deployed in attacks in the second half of 2021 and the attackers behind it are paying close attention to campaigns.
Even during the period of analysis after the malware was initially discovered in December, the command and control domain behind the attacks has changed three times, indicting that those behind the campaign are actively monitoring targets.
The way the attackers play close attention to compromised victims, the way in which they appear to carefully choose their targets and the way that the malware can target multiple operating systems suggests that those behind SysJoker are what researchers describe as an “advanced threat actor”.
In addition to this, the fact that the attackers have written code from scratch that hasn’t been seen in previous attacks and can target three different operating systems also suggests that whoever the cyber criminals behind SysJoker are, they know what they’re doing.
While the campaign isn’t widespread, the nature of SysJoker malware – and the way the attackers appear to go after specific targets and can remain hidden on compromised networks for significant periods of time – was only discovered when another attack was being investigated.
It’s likely that the campaign is still active, but researchers have detailed advice on how to avoid falling victim. These include using memory scanners to detect malicious payloads that have potentially been installed. Administrators should also be on the lookout for potentially suspicious activity and investigate it if something feels amiss.