Security researchers find a rare cross-platform malware “SysJoker” for macOS, Windows and Linux

Cyber security researchers at Intezer have found a sophisticated and rare cross-platform malware created from scratch for macOS, Windows, and Linux and was released in the second half of 2021.

Calling the backdoor RAT (remote access trojan) “SysJoker”, the researcher explains that malware is written in C++, tailored for each operating system, and its Linux and macOS variants of the malware are completely undetected by VirusTotal. 

macOS malware

The cross-platform RAT for macOS is created to target specific individuals performed by advanced threat actors 

According to the report, SysJoker’s new code has not been seen before and the fact that it is created from scratch suggested that the attackers are financially backed by deep pockets. 

The analysis of the malicious code reveals that it provides advanced backdoor capabilities and it was sneaked into the npm JavaScript repository via a TypeScript app. However, researchers were not able to find how the malware was installed on the affected systems, definitely. 

Having said that, SysJoker’s behavior and suspected targets suggest that the goal of the attacks is for espionage or ransom. The report concludes:

  • The fact that the code was written from scratch and hasn’t been seen before in other attacks. On top of that, it is rare to find previously unseen Linux malware in a live attack.
    The attacker registered at least 4 different domains and wrote from scratch the malware for three different operating systems.
  • During our analysis, we haven’t witnessed a second stage or command sent from the attacker. This suggests that the attack is specific which usually fits for an advanced actor.
  • Based on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages.

Apple - macOS exploit

Earlier this month, security firm SentinelOne found that a sneaky macOS malware called OSAMiner had been infecting Macs without anyone noticing since 2015. The malware was hiding using AppleScripts and mining cryptocurrency. 

During the Epic Games trial, Apple’s head of software Craig Federighi testified that the company does not have the iOS App Store review system on macOS because Macs attract less attention from miscreants due to the nature of their usage. But also admitted that the system is not safe from attracts. 

When Judge Yvonne Gonzalez Rogers to ask why Apple does not allow multiple stores on iPhone as they exist on Mac. Very tactfully, Federighi said Mac is the safest PC but “today we have a level of malware we don’t find acceptable on the Mac” and “it’s an endless game of whackamole malware” on Mac because of the openness and flexibility of its operating system.

But the existence of iOS spyware like Pegasus and Cytrox shows that attackers are creating more sophisticated malware for iOS and macOS and Apple should create stronger security checks across devices. 

About the Author

Addicted to social media and in love with iPhone, started blogging as a hobby. And now it's my passion for every day is a new learning experience. Hopefully, manufacturers will continue to use innovative solutions and we will keep on letting you know about them.