SysJoker: Remote Access Tool (RAT) malware for macOS, Windows and Linux


I've been reading quite a bit about SysJoker in the last few hours and I think the best article on it is one from ArsTechnica ( ). I "scrambled" a lot of the information in this article here and then added my own two cents. For the Sir Apfelot Blog, this is interesting because SysJoker not only runs on Windows and Linux, but can also attack Macs.

Is SysJoker a threat to my Mac?

To put your mind at ease, I would like to clarify this question first. Yes, in principle SysJoker is a threat to every Mac - just like any other malware. In modern macOS versions, these generally require admin rights to run. This means that if a program asks you for your admin password for no apparent reason, you should not enter it.

If you stick to it and then refrain from cracked software and dubious websites and not from links in Phishing e-mails clicks, then you should actually be on the safe side.

If you still want to be on the safe side, you can join Malwarebytes get a reliable scanner for viruses and malware that often recommended is.

However, I think that other antivirus software products for Mac are already aware of the SysJoker threat and can detect and remove the malware.

The SysJoker malware makes it possible to remotely control the infected computer and install other malicious programs (Graphic: Intezer).

The SysJoker malware makes it possible to remotely control the infected computer and install other malicious programs (Graphic: Intezer).

How was SysJoker discovered?

Security researchers have discovered a malware written from the ground up for Windows, macOS or Linux systems that bypassed almost all malware scanners.

According to researchers at Intezer, SysJoker - as they call the backdoor malware - was discovered on the Linux-based web server of a "leading academic institution". Investigating further, the researchers found SysJoker versions for Windows and macOS. They believe that SysJoker was launched in the second half of last year.

No backdoor in the operating system

In many articles about SysJoker you read about a backdoor, but actually this is the wrong term, because a backdoor is a security hole that is intentionally built into a system in order to exploit it later. If you write about a "backdoor in Windows, Linux and macOS", it sounds as if it were an intentional gap in the three operating systems. That's nonsense, because SysJoker is "only" malware - with a few special features, which we'll get to in a moment.

What makes SysJoker so special?

First, cross-platform malware is uncommon, as most malware is developed for a single platform. The RAT (remote control software) in SysJoker was also built from the ground up and uses four different command and control servers, suggesting the developers are part of an advanced threat actor. It is also unusual for previously unknown Linux malware to show up in a real attack.

How does SysJoker infiltrate?

According to analyzes of the Windows version (from Intezer) and the Mac version (from explorer Patrick Wardle) SysJoker offers sophisticated backdoor functions. The .ts and .exe suffixes were found in both the Windows and macOS version executables. According to Intezer, this could indicate that the file disguised as a script app was disguised as a system update after being placed in the npm JavaScript repository. SysJoker should pretend to be a system update.

Finally, Intezer could not determine how the malware was introduced. The hypothesis that it was installed via a malicious npm package or a rogue extension to hide the illegal installer suggests that the infections were not caused by exploiting a vulnerability but by deception.

Meanwhile, Wardle said the .ts extension could indicate the file is disguised as video transport stream content. He discovered that the OSX file was cryptographically signed, but only with an ad hoc signature.

What is the SysJoker malware doing on the system?

The malware's code is written in C++, and the Linux and macOS versions were not detected at all by the malware search engine VirusTotal. The control server domain is created by decoding a string from a Google Drive text file. During the researchers' investigation, the server was updated three times, proving that the attacker was active and looking for infected computers.

Based on the targeted organizations and the activities of the malware, Intezer believes that SysJoker is targeting specific individuals for e-espionage in conjunction with other actions that could lead to a ransomware attack in one of the next steps.

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published. Required fields are marked with * marked