Chapter in this post:
I've been reading quite a bit about SysJoker in the last few hours and I think the best article on it is one from ArsTechnica ( ). I "scrambled" a lot of the information in this article here and then added my own two cents. For the Sir Apfelot Blog, this is interesting because SysJoker not only runs on Windows and Linux, but can also attack Macs.
To put your mind at ease, I would like to clarify this question first. Yes, in principle SysJoker is a threat to every Mac - just like any other malware. In modern macOS versions, these generally require admin rights to run. This means that if a program asks you for your admin password for no apparent reason, you should not enter it.
If you stick to it and then refrain from cracked software and dubious websites and not from links in Phishing e-mails clicks, then you should actually be on the safe side.
However, I think that other antivirus software products for Mac are already aware of the SysJoker threat and can detect and remove the malware.
Security researchers have discovered a malware written from the ground up for Windows, macOS or Linux systems that bypassed almost all malware scanners.
According to researchers at Intezer, SysJoker - as they call the backdoor malware - was discovered on the Linux-based web server of a "leading academic institution". Investigating further, the researchers found SysJoker versions for Windows and macOS. They believe that SysJoker was launched in the second half of last year.
In many articles about SysJoker you read about a backdoor, but actually this is the wrong term, because a backdoor is a security hole that is intentionally built into a system in order to exploit it later. If you write about a "backdoor in Windows, Linux and macOS", it sounds as if it were an intentional gap in the three operating systems. That's nonsense, because SysJoker is "only" malware - with a few special features, which we'll get to in a moment.
First, cross-platform malware is uncommon, as most malware is developed for a single platform. The RAT (remote control software) in SysJoker was also built from the ground up and uses four different command and control servers, suggesting the developers are part of an advanced threat actor. It is also unusual for previously unknown Linux malware to show up in a real attack.
Finally, Intezer could not determine how the malware was introduced. The hypothesis that it was installed via a malicious npm package or a rogue extension to hide the illegal installer suggests that the infections were not caused by exploiting a vulnerability but by deception.
Meanwhile, Wardle said the .ts extension could indicate the file is disguised as video transport stream content. He discovered that the OSX file was cryptographically signed, but only with an ad hoc signature.
The malware's code is written in C++, and the Linux and macOS versions were not detected at all by the malware search engine VirusTotal. The control server domain is created by decoding a string from a Google Drive text file. During the researchers' investigation, the server was updated three times, proving that the attacker was active and looking for infected computers.
Based on the targeted organizations and the activities of the malware, Intezer believes that SysJoker is targeting specific individuals for e-espionage in conjunction with other actions that could lead to a ransomware attack in one of the next steps.
Jens has been running the blog since 2012. He appears as Sir Apfelot for his readers and helps them with problems of a technical nature. In his free time he drives electric unicycles, takes photos (preferably with his iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions for current bugs.