Security specialists are warning of new backdoor malware developed to operate throughout Windows, Mac and Linux, some variations of which are presently undetected in Virus Overall.
Dubbed “SysJoker” by researchers at Intezer, the malware was discovered during an attack on a Linux web server running in an schooling sector organization. It’s considered to date back to the second 50 percent of 2021.
“SysJoker masquerades as a procedure update and generates its C2 [command and control] by decoding a string retrieved from a textual content file hosted on Google Push,” the seller explained in a site write-up.
“During our examination the C2 modified a few periods, indicating the attacker is active and checking for infected machines. Centered on victimology and malware’s habits, we assess that SysJoker is soon after distinct targets.”
The malware is penned in C++, with every single sample tailored for the OS it targets. Worryingly, the Linux and macOS variations were fully undetected in VirusTotal at the time of creating.
Aside from the Windows model that contains a initially-phase dropper, all a few variants do the job the very same. Just after execution, the malware sleeps for up to 120 seconds, then makes a listing and copies by itself under this listing, pretending to be an Intel graphics typical person interface assistance executable.
It then covertly gathers details about the device and achieves persistence, sleeping in between these ways.
Conversation with the C2 server is attained by decoding a hardcoded Google Generate url that contains a text file with an encoded C2.
The C2 could down load further malware or run other commands on the sufferer machine.
Intezer claimed there are several explanations why SysJoker might be the get the job done of a advanced actor. It was published from scratch and hadn’t been witnessed in advance of in other attacks in the wild – evidently a rarity for Linux malware.
The attacker registered at the very least 4 different domains and wrote the malware for 3 discrete platforms.
“During our examination, we have not witnessed a second stage or command sent from the attacker,” Intezer concluded. “This suggests that the attack is particular which ordinarily fits for an highly developed actor.
Some pieces of this write-up are sourced from: