macOS, Windows, Linux all targeted by new cross-platform exploit

On January 11, researchers from Intezer revealed they had found SysJoker, a backdoor that was originally discovered to be attacking Linux. Shortly after, variants of the same backdoor were uncovered that went after Windows and macOS.

The find is unusual, as it is rare to discover malicious code that can attack multiple platforms at once. Typically, malware is produced to attack a specific vulnerability in one platform only, rather than produced in a similar way for multiple platforms simultaneously.

According to the researchers in a technical analysis, SysJoker is thought to have been initiated in an attack in the second half of 2021. Security researcher Patrick Wardle performed the analysis of macOS variant, as Intezer concentrated on the Windows version.

The code is found to be a universal binary covering Intel and arm64 builds, meaning it could run on Apple Silicon as well as older Macs with Intel chips. The code is signed, albeit with an ad-hoc signature.

When initially run, the software copies itself to the user’s Library as an update for macOS, which is used to persist on the infected system.

After being run, the malware then attempts to download a file form a Google Drive account, and is able to pull and run an executable, depending on the commands from a designated control server. Other commands include unzipping a downloaded executable, and to change the permissions of the unzipped executable to allow it to run.

The Windows analysis indicates it operates in practically the same way, namely pretending to be an update, contacting a remote server to download a payload and to receive other commands, and to execute the code on the target system.

It seems that the backdoor is starting to be flagged by antivirus engines, after being identified by the researchers.

As for its purpose, Intezer hasn’t witnessed a second-stage or command sent by the attacker, which points to it having a highly specific purpose, and therefore likely to be from an “advanced actor.” It is thought the goal is “espionage,” though there is the possibility of ransomware attacks to be made as a follow-up stage.

Intezer has published a list of indicators that a system has been attacked, including what files are created and the LaunchAgent that allows the code to persist.

The files and directories created by SysJoker include:

• /Library/MacOsServices
• /Library/MacOsServices/updateMacOs
• /Library/SystemNetwork
• /Library/LaunchAgents/com.apple.update.plist

The persistence code is under the path LibraryLaunchAgents/com.apple.update.plist. If the files are found on a Mac, it is advised to kill off all related processes and delete the files.

It is unclear how a user may become a victim of SysJoker at this time.