Researchers have discovered a never-before-seen backdoor, written from the ground up for systems running Windows, macOS or Linux, that went undetected by virtually all malware scanning engines.

Researchers from the security company Intezer said They discovered SysJoker – the name they gave the backdoor – on the Linux-based web server of a “leading educational institution”. When the researchers investigated, they found SysJoker versions for both Windows and macOS. They suspect that the cross-platform malware was released in the second half of last year.

The discovery is significant for several reasons. First, fully cross-platform malware is a rarity, as most malicious software is written for a specific operating system. The backdoor was also written from the ground up and utilized four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It is also unusual for previously unknown Linux malware to be found in a real attack.

Analysis of the Windows version (by Intezer) and the version for Macs (by researcher Patrick Wardle) revealed that SysJoker offers advanced backdoor capabilities. Executable files for both the Windows and macOS versions had the .ts extension. Intezer said this could be an indication that the file was masquerading as Enter script App spread after being smuggled into npm JavaScript repository. Intezer went on to say that SysJoker is posing as a system update.

Wardle, meanwhile, said the .ts extension could indicate the file was cloaked video transport stream Contents. He also found that the macOS file was digitally signed, albeit with a Ad Hoc Signature.

SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were completely undetected by the VirusTotal malware search engine. The backdoor generates its control server domain by decoding a string retrieved from a text file hosted on Google Drive. As the researchers analyzed it, the server changed three times, indicating the attacker was active and looking out for infected computers.

Based on the target organizations and the behavior of the malware, Intezer’s assessment is that SysJoker looks for specific targets, most likely with the aim of “espionage along with lateral movement, which could also lead to a ransomware attack as one of the next phases”.

Source link

Leave a Reply