New SysJoker backdoor targets Windows, macOS, and Linux


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A new multi-platform backdoor malware named 'SysJocker' has emerged in the wild, targeting Windows, Linux, and macOS with the ability to evade detection on all three operating systems.
The discovery of the new malware comes from researchers at Intezer who first saw signs of its activity in December 2021 after investigating an attack on a Linux-based web server.
The first uploads of the malware sample on VirusTotal occurred in H2 2021, which also aligns with the C2 domain registration times.
The security analysts have now published a detailed technical report on SysLocker, which they shared with Bleeping Computer before publication.
[...] "Next, SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands,” explains Intezer’s report.


Level 37
Top poster
Nov 10, 2017
We may still be waiting for some developers to update their apps to run natively on M1 Macs, but the developer of SysJoker Mac malware is already on the case.

Security researcher Patrick Wardle points to what he says is the first Mac malware of 2022, and it runs on both Intel and M1 Macs. SysJoker can be controlled remotely by an attacker, allowing it to be used in many different ways …

The malware was discovered by Intezer. Initially it appeared to be Linux-only, but Windows and macOS versions were subsequently identified. Intezer’s own analysis focuses on the Windows version, so Wardle took a deep dive into the macOS variant.

The malware itself is disguised as a video file, but in reality is a universal binary containing both Intel and arm64 builds. The latter means it can run natively on any Apple Silicon Mac.

The rest