Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

macOS, Windows, Linux all targeted by new cross-platform exploit

Last updated

The new "SysJoker" backdoor can reportedly attack multiple operating systems, including macOS, Windows, and Linux.

On January 11, researchers from Intezer revealed they had found SysJoker, a backdoor that was originally discovered to be attacking Linux. Shortly after, variants of the same backdoor were uncovered that went after Windows and macOS.

The find is unusual, as it is rare to discover malicious code that can attack multiple platforms at once. Typically, malware is produced to attack a specific vulnerability in one platform only, rather than produced in a similar way for multiple platforms simultaneously.

According to the researchers in a technical analysis, SysJoker is thought to have been initiated in an attack in the second half of 2021. Security researcher Patrick Wardle performed the analysis of macOS variant, as Intezer concentrated on the Windows version.

The code is found to be a universal binary covering Intel and arm64 builds, meaning it could run on Apple Silicon as well as older Macs with Intel chips. The code is signed, albeit with an ad-hoc signature.

When initially run, the software copies itself to the user's Library as an update for macOS, which is used to persist on the infected system.

After being run, the malware then attempts to download a file form a Google Drive account, and is able to pull and run an executable, depending on the commands from a designated control server. Other commands include unzipping a downloaded executable, and to change the permissions of the unzipped executable to allow it to run.

The Windows analysis indicates it operates in practically the same way, namely pretending to be an update, contacting a remote server to download a payload and to receive other commands, and to execute the code on the target system.

It seems that the backdoor is starting to be flagged by antivirus engines, after being identified by the researchers.

As for its purpose, Intezer hasn't witnessed a second-stage or command sent by the attacker, which points to it having a highly specific purpose, and therefore likely to be from an "advanced actor." It is thought the goal is "espionage," though there is the possibility of ransomware attacks to be made as a follow-up stage.

Detecting SysJoker

Intezer has published a list of indicators that a system has been attacked, including what files are created and the LaunchAgent that allows the code to persist.

The files and directories created by SysJoker include:

  • /Library/MacOsServices
  • /Library/MacOsServices/updateMacOs
  • /Library/SystemNetwork
  • /Library/LaunchAgents/com.apple.update.plist

The persistence code is under the path LibraryLaunchAgents/com.apple.update.plist. If the files are found on a Mac, it is advised to kill off all related processes and delete the files.

It is unclear how a user may become a victim of SysJoker at this time.



5 Comments

lkrupp 19 Years · 10521 comments

You know what? I don't give a shit anymore.

The quote of the day: "It is unclear how a user may become a victim of SysJoker at this time."

bakerzdosen 16 Years · 185 comments

I went *years* without running AV software on my Mac. I think I even bragged about it in a Tweet about 10 years ago.

But these days, well, things have changed. (A massive/sophisticated ransomware attack can have that effect on you.)

I'm pretty happy to have Carbon Black on my Mac.

macxpress 16 Years · 5913 comments

I went *years* without running AV software on my Mac. I think I even bragged about it in a Tweet about 10 years ago.

But these days, well, things have changed. (A massive/sophisticated ransomware attack can have that effect on you.)

I'm pretty happy to have Carbon Black on my Mac.

I'm happy to not have to run any kind of Antivirus on my Mac. All of these attacks on macOS are typically bogus as they cannot be ran without user interaction. 

TheAppleGeek 2 Years · 1 comment

I wont be a catch all, but run something like LuLu which alerts you when anything call’s out to another server or mothership. 

https://objective-see.com/products/lulu.html

viclauyyc 10 Years · 847 comments

I wont be a catch all, but run something like LuLu which alerts you when anything call’s out to another server or mothership. 

https://objective-see.com/products/lulu.html

I used to have Little Snitch on my Mac. However, there is just way too much outgoing traffic to unknown destinations. It is just hard for regular user like myself to understand what is good and bad…