UNKNOWN HOW IT GETS INSTALLED: SysJoker, an Advanced Threat Actor after Specific Targets

One attack was against an un-named educational institution

SYSJOKER —

Backdoor RAT for Windows, macOS, and Linux went undetected until now

Never-before-seen, cross-platform SysJoker came from an "advanced threat actor."

Dan Goodin - 1/15/2022, 7:00 AM

"Researchers have uncovered a never-before-seen backdoor malware written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines.

Researchers from security firm Intezer said they discovered SysJoker—the name they gave the backdoor malware—on the Linux-based Webserver of a “leading educational institution.” As the researchers dug in, they found SysJoker versions for both Windows and macOS as well. They suspect the cross-platform RAT—short for remote access trojan—was unleashed in the second half of last year.

The discovery is significant for several reasons. . .

[...]

SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were fully undetected on the VirusTotal malware search engine. The backdoor generates its control-server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers were analyzing it, the server changed three times, indicating the attacker was active and monitoring for infected machines.

Based on organizations targeted and the malware’s behavior, Intezer's assessment is that SysJoker is after specific targets, most likely with the goal of “​​espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages.”