Researchers have discovered a never-before-seen backdoor, written from the ground up for systems running Windows, macOS or Linux, that went undetected by virtually all malware scanning engines.
Researchers from the security company Intezer said They discovered SysJoker – the name they gave the backdoor – on the Linux-based web server of a “leading educational institution”. When the researchers investigated, they found SysJoker versions for both Windows and macOS. They suspect that the cross-platform malware was released in the second half of last year.
The discovery is significant for several reasons. First, fully cross-platform malware is a rarity, as most malicious software is written for a specific operating system. The backdoor was also written from the ground up and utilized four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It is also unusual for previously unknown Linux malware to be found in a real attack.
SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were completely undetected by the VirusTotal malware search engine. The backdoor generates its control server domain by decoding a string retrieved from a text file hosted on Google Drive. As the researchers analyzed it, the server changed three times, indicating the attacker was active and looking out for infected computers.
Based on the target organizations and the behavior of the malware, Intezer’s assessment is that SysJoker looks for specific targets, most likely with the aim of “espionage along with lateral movement, which could also lead to a ransomware attack as one of the next phases”.