I've been reading quite a bit about SysJoker in the last few hours and I think the best article on it is one from ArsTechnica (Which). I “scrambled” a lot of the information in this article here and then added my own two cents. For the Sir Apfelot Blog, this is interesting because SysJoker not only runs on Windows and Linux, but can also attack Macs.
Chapter in this post:
Is SysJoker a threat to my Mac?
To put your mind at ease, I would like to clarify this question first. Yes, in principle SysJoker is a threat to every Mac - just like any other malware. In modern macOS versions, these generally require admin rights to run. This means that if a program asks you for your admin password for no apparent reason, you should not enter it.
If you stick to it and then refrain from cracked software and dubious websites and not from links in Phishing e-mails clicks, then you should actually be on the safe side.
If you still want to be on the safe side, you can join Malwarebytes get a reliable scanner for viruses and malware that often recommended is.
However, I think that other antivirus software products for Mac are already aware of the SysJoker threat and can detect and remove the malware.
How was SysJoker discovered?
Security researchers have discovered a malware written from the ground up for Windows, macOS or Linux systems that bypassed almost all malware scanners.
According to researchers at Intezer, SysJoker - as they call the backdoor malware - was discovered on the Linux-based web server of a "leading academic institution". Investigating further, the researchers found SysJoker versions for Windows and macOS. They believe that SysJoker was launched in the second half of last year.
No backdoor in the operating system
In many articles about SysJoker you read about one Backdoor, but actually this is the wrong term, because a backdoor is a security hole intentionally built into a system for later exploitation. When you write about a “backdoor in Windows, Linux and macOS”, it sounds like it is an intentional gap in the three operating systems. That's nonsense, because SysJoker is "only" malware - with a few special features, which we'll get to in a moment.
What makes SysJoker so special?
First, cross-platform malware is uncommon, as most malware is developed for a single platform. The RAT (remote control software) in SysJoker was also built from the ground up and uses four different command and control servers, suggesting the developers are part of an advanced threat actor. It is also unusual for previously unknown Linux malware to show up in a real attack.
How does SysJoker infiltrate?
According to analyzes of the Windows version (from Intezer) and the Mac version (from explorer Patrick Wardle) SysJoker offers sophisticated backdoor functions. The .ts and .exe suffixes were found in both the Windows and macOS version executables. According to Intezer, this could indicate that the file disguised as a script app was disguised as a system update after being placed in the npm JavaScript repository. SysJoker should pretend to be a system update.
Finally, Intezer could not determine how the malware was introduced. The hypothesis that it was installed via a malicious npm package or a rogue extension to hide the illegal installer suggests that the infections were not caused by exploiting a vulnerability but by deception.
Meanwhile, Wardle said the .ts extension could indicate the file is disguised as video transport stream content. He discovered that the OSX file was cryptographically signed, but only with an ad hoc signature.
What is the SysJoker malware doing on the system?
The malware's code is written in C++, and the Linux and macOS versions were found by the malware search engine VirusTotal not discovered at all. The control server domain is created by decoding a string from a Google Drive text file. During the researchers' investigation, the server was updated three times, proving that the attacker was active and looking for infected computers.
Based on the targeted organizations and the activities of the malware, Intezer assumes that SysJoker is targeting certain individuals with the aim of e-espionage in conjunction with other actions that will be one of the next steps towards a Ransomware- could lead to an attack.
Related Articles
New iPads: Apple announces event for May 7, 2024- Sir Apfelot newsreel week 16, 2024
- More AI, more sales: The M4 chip is intended to increase Mac sales
- Sir Apfelot newsreel week 15, 2024
- Find my Android device: Google has launched its own “Find My?”
- Sir Apfelot newsreel week 14, 2024
- DALL-E and Sora: OpenAI shows new AI developments
- Fiber optic internet: Up to 4,5 million times faster thanks to E-band
Jens has been running the blog since 2012. He acts as Sir Apfelot for his readers and helps them with technical problems. In his spare time he rides electric unicycles, takes photos (preferably with the iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions to current bugs.
