A new multi-platform backdoor is leveraged by an advanced threat actor

2022-01-12 13:14

A novel multi-platform backdoor dubbed SysJoker has been successfully evading security solutions since mid-2021.

"In the Linux and macOS versions, it masquerades as a system update. In the Windows version, it masquerades as Intel drivers. The update names are somewhat generic: In the macOS version, the file is relocated and named 'updateMacOs' and in the Linux version it is named 'updateSystem'," Avigayil Mechtinger, security researcher at Intezer, has shared with Help Net Security.

Intezer researchers have spotted the backdoor during an active attack on an Apache web server of a leading educational institution.

The only difference between the Windows version and those for Linux and macOS is that the former contains a first-stage dropper.

"Based on C2 domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was initiated during the second half of 2021. During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines," the researchers shared.

The researchers believe that the SysJoker attack is performed by an advanced threat actor because the malware's code is original, because it's rare to find previously unseen Linux malware in a live attack, and because they haven't witnessed a second stage or command sent from the attacker.

News URL

https://www.helpnetsecurity.com/2022/01/12/multi-platform-backdoor/

#backdoor #multi #threat