“In the Linux and macOS versions, it masquerades as a system update. In the Windows version, it masquerades as Intel drivers. The update names are somewhat generic: In the macOS version, the file is relocated and named ‘updateMacOs’ and in the Linux version it is named ‘updateSystem’,” Avigayil Mechtinger, security researcher at Intezer, has shared with Help Net Security.
SysJoker: A multi-platform backdoor
Intezer researchers have spotted the backdoor during an active attack on an Apache web server of a leading educational institution. It had been uploaded via a reverse shell.
SysJoker’s behavior is similar for all three operating systems: once executed, it “sleeps” for 90 to 120 seconds before it starts to:
- Create directories and copy itself
- Gather information about the machine (MAC address, user name, physical media serial number, IP address)
- Add entries to a registry key to achieve persistence
- Contact a command and control server
The various instructions it can receive from the C2 server allow it to drop and run another executable, as well as run specific commands.
The only difference between the Windows version and those for Linux and macOS is that the former contains a first-stage dropper.
A stealthy threat
When the researchers published their findings on Tuesday (January 12), SysJoker’s Linux and macOS versions still went undetected by the various security solutions on VirusTotal. In the meantime, a dozen or so became able to spot them.
“Based on C2 domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was initiated during the second half of 2021. During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines,” the researchers shared.
They have not observed many samples of the malware in the wild, so they believe that attacks leveraging are limited in scope.
Among other possible reasons given by Mechtinger for the malware’s prolonged flying under the radar are the immaturity of security tools for Linux and macOS systems and the obfuscation of the C2 server domains.
“The domain is dynamically fetched from a Google Drive link, therefore the address is easy to update, and any traffic to Google drive will not normally be seen as suspicious in a network,” he explained.
It is unknown whether there have been other targets / victims. Judging by the current available information, the attacker seems to focus on academic institutions.
“One of the C2 server domains typosquats the software ‘Bookitlab’, which is commonly used by universities and scientific institutions for facility management and lab equipment scheduling software,” Mechtinger shared.
The researchers believe that the SysJoker attack is performed by an advanced threat actor because the malware’s code (for all operating systems) is original, because it’s rare to find previously unseen Linux malware in a live attack, and because they haven’t witnessed a second stage or command sent from the attacker (meaning that the attack is specific).
It’s impossible to tell whether the malware is setting the stage for cyber espionage or ransomware delivery. Still, none of these objectives are good news for potential targets, and could lead to very negative outcomes.
The researchers have released indicators of compromise (IoCs) and detection content to help defenders hunt for infected machines on their networks, and have offered advice on remediation.