The new cross-platform backdoor SysJoker affects Windows, macOS, Linux

Espionage malware discovered to target various machines in this ongoing campaign started in the second half of 2021

The attack is specific which usually fits for an advanced actor, so these targets are specific

The new backdoor malware campaign was discovered by researchers. The cross-platform trojan named SysJoker has been targeting various machines with Windows, Linux, macOS operating systems and is involved in the months-long campaign.^[1] The warning on commercial surveillance^[2] reveals that the net RAT virus was discovered in December can run undetected in the Linux or macOS system for a while.

The multi-platform backdoor espionage campaign was discovered during the active attack on a Linux-based web server.^[3] The target was a leading educational institution. The malware gets masked as a system update file and managed to decode the string retrieved from the file delivered via Google Drive.

Further analysis showed that SysJoker has a specific list of targets and focuses on victims that are considered valuable. Attackers are active and monitor the behavior of these infected machines because the particular command server has been altered during the investigation.

Information gathering features and detection evading

This backdoor malware is a C++-based threat that can be delivered with the help of a dropper file from a particular remote server. Examples give no results for malware detection in VirusTotal. Once executed, the threat is designed to collect information about the compromised host. These details include MAC addresses, usernames, physical media serial numbers, IP addresses. These pieces get encoded and transferred back to the emote server that criminals connect to.

The connection to the server belonging to these attackers is established by extracting the domain's URL from a hard-coded Google Drive link that also hosts the text file enabling the malware launch. The server also contains instructions to the machine that triggers the RAT and allows this virus to run arbitrary commands and execute files.

Unfortunately, no particular features can be used for the identification of a threat group or actor:

The fact that the code was written from scratch and hasn't been seen before in other attacks […] suggests that the attack is specific which usually fits for an advanced actor

Backdoor popularity in cyberattacks rises

There are many things that got investigated here, and many facts got revealed. This is a new threat that is pretty rare due to the fact that it can be found on Linux, macOS, and Windows. Given the fact that Linux malware is rarely occurring, seeing never before seen code in a live attack is even more uncommon.

The group of attackers behind this malware have registered four domains and wrote the malware for three different OSs from stage zero. These attacks seem extremely specific, so the group behind the malware might have particular goals of the espionage campaign. It seems that the lateral movement that leads to ransomware attacks might be secondary stages of the cyber incident.^[4]

Such cyber-attacks are commonly linked to various APT groups and are particularly targeted, involving state-backed groups, governments as targets. These remote access trojans, backdoors, and other threats have stealthy infiltration capabilities. These attacks can happen without any symptoms and create major issues, leading to consequences.

The anti-analysis functions allow malware to affect machines and stay silent until the needed actions take place. There are many versions of such malware, so researchers release warnings and advisories all the time.^[5]