SysJoker is a backdoor discovered in late December 2021 targeting Linux, macOS, and Windows. At that time, MacOS and Linux samples were fully undetected in VirusTotal. That has changed as of today as AV vendors have developed standard detections for the signatures.
The developers or group behind SysJoker are active and vigilant. Security research firm Intezer explains in a report that the command-and-control server (C2) changed multiple times during one of their engagements. “SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. During our analysis, the C2 changed three times, indicating the attacker is active and monitoring for infected machines.” The configuration file for the backdoor is hosted on a Google Drive account, which may make life a little more difficult if organizations have any blanket whitelisting in place for Google Drive infrastructure.
The group behind SysJoker appears to be advanced and is targeting specific entities with the goal of espionage, the ability to move laterally in the victim’s environment, and to deploy ransomware. The code for this malware was written from scratch and prior to this investigation, had no known samples, which is a rarity when researching Linux and MacOS malware.