Researchers at cybersecurity company Intezer have discovered previously unknown malware that goes undetected by many antivirus tools. The malware, named SysJoker, was first discovered on the Linux server of a “leading educational institution”. Later, they were able to identify versions of the backdoor for Windows and macOS.
Intezer’s discovery is interesting for several reasons. First of all, it should be noted that cross-platform malware is quite rare. It was also noted that SysJoker was rewritten from the ground up and four separate command-and-control servers were used to ensure its operation, indicating a high level of training and access to significant malware authors’ resources. It is also unusual that a previously unknown malware for Linux was used in practice. An analysis of the Windows and macOS versions of SysJoker showed that the malware offers advanced backdoor capabilities.
The malware’s executable file has a .ts extension. Once cloaked on the victim’s device, the malware disguises itself as a system update. The notification states that SysJoker is written in C++ and the Linux and MacOS versions of the software are not recognized by the VirusTotal malware search engine. Intezer experts assume that SysJoker is currently being used by unknown attackers for espionage, and also do not rule out that it could contribute to the spread of ransomware in the future.