New "Undetected" Backdoor Runs Across Three OS Platforms

New "Undetected" Backdoor Runs Across Three OS Platforms

Security experts are warning of new backdoor malware designed to work across Windows, Mac and Linux, some versions of which are currently undetected in Virus Total.



Dubbed “SysJoker” by researchers at Intezer, the malware was discovered during an attack on a Linux web server running in an education sector organization. It’s believed to date back to the second half of 2021.



“SysJoker masquerades as a system update and generates its C2 [command and control] by decoding a string retrieved from a text file hosted on Google Drive,” the vendor explained in a blog post.



“During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.”



The malware is written in C++, with each sample customized for the OS it targets. Worryingly, the Linux and macOS versions were fully undetected in VirusTotal at the time of writing.



Aside from the Windows version containing a first-stage dropper, all three variants work the same. After execution, the malware sleeps for up to 120 seconds, then creates a directory and copies itself under this directory, pretending to be an Intel graphics common user interface service executable.



It then covertly gathers information about the machine and achieves persistence, sleeping between these steps.



Communication with the C2 server is achieved by decoding a hardcoded Google Drive link containing a text file with an encoded C2.



The C2 might download additional malware or run other commands on the victim machine.



Intezer claimed there are several reasons why SysJok ..

Support the originator by clicking the read the rest link below.