New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


SysJoker – Advanced Multi-Platform Backdoor Opening 2022

SysJoker is a backdoor discovered in late December 2021 targeting Linux, macOS, and Windows. At that time, MacOS and Linux samples were fully undetected in VirusTotal. That has changed as of today as AV vendors have developed standard detections for the signatures.

The developers or group behind SysJoker are active and vigilant. Security research firm Intezer explains in a report that the command-and-control server (C2) changed multiple times during one of their engagements. “SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. During our analysis, the C2 changed three times, indicating the attacker is active and monitoring for infected machines.” The configuration file for the backdoor is hosted on a Google Drive account, which may make life a little more difficult if organizations have any blanket whitelisting in place for Google Drive infrastructure.

The group behind SysJoker appears to be advanced and is targeting specific entities with the goal of espionage, the ability to move laterally in the victim’s environment, and to deploy ransomware. The code for this malware was written from scratch and prior to this investigation, had no known samples, which is a rarity when researching Linux and MacOS malware.








61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c

Analyst Notes

In 2022, we need to understand that a reactive defense is no longer enough and that organizations need to employ a mature, effective, defense-in-depth security strategy that includes proactive measures. There are many well-planned frameworks available for defenders to begin learning about simple and effective steps when it comes to tailoring enriched and deliberate threat hunts. To bolster and reduce the burden of Security Operations Centers and Incident Response teams is to multiply cost-savings when dealing with an active harmful incident.

New SysJoker Backdoor Targets Windows, Linux, and macOS