{"id":95160,"date":"2022-01-13T15:12:22","date_gmt":"2022-01-13T23:12:22","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=95160"},"modified":"2023-01-26T03:59:13","modified_gmt":"2023-01-26T11:59:13","slug":"sysjoker-cross-platform-backdoor-malware-for-mac-windows-and-linux","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/sysjoker-cross-platform-backdoor-malware-for-mac-windows-and-linux\/","title":{"rendered":"SysJoker: Cross-Platform Backdoor Malware for Mac, Windows, and Linux"},"content":{"rendered":"

\"SysJoker<\/p>\n

SysJoker is one of the most recently discovered Mac malware families. But SysJoker is not just Mac malware\u2014it’s cross-platform malware that can also infect PCs running Windows or Linux.<\/p>\n

Intego detects this malware’s various components as OSX\/SysJoker.gen<\/strong>, OSX\/SysJoker.lct<\/strong>, Linux\/SysJoker.A<\/strong>, and Win32\/SysJoker.A<\/strong>.<\/p>\n

Let’s examine this new threat and what makes it unique.<\/p>\n

How was SysJoker discovered?<\/h3>\n

According to Intezer<\/a>, SysJoker “was first discovered during an active attack on a Linux-based web server of a leading educational institution.” Mac and Windows variants were found layer. Although the malware was discovered in December 2021, it may have been deployed sometime earlier in the second half of the year.<\/p>\n

What does SysJoker do to an infected computer?<\/h3>\n

SysJoker pretends to be an operating system update mechanism. In reality, though, it has been observed to collect specific information about the infected computer, such as the MAC address, user name, and IP address. Thus its primary goal appears to be espionage, or in other words, spying on the victim.<\/p>\n

The initial macOS SysJoker component is named types-config.ts<\/code>, masquerading as either a TypeScript<\/a> or MPEG transport stream<\/a> video file. However, the file is actually a universal Mach-O<\/a> binary, meaning that it’s designed to infect Macs with either an Intel or Apple Silicon (e.g. M1) processor.<\/p>\n

The malware has methods of persistence, meaning it can continue to actively infect a computer after a reboot. Because it communicates with a command and control (C&C) server, it’s possible for the malware to receive additional instructions\u2014and download additional components and upgrade its capabilities\u2014at any time.<\/p>\n

How can one remove or prevent SysJoker and other threats?<\/h3>\n

Unfortunately, the threat mitigation features that Apple has built into macOS\u2014such as notarization, Gatekeeper, XProtect, and MRT\u2014do not block many types of threats. Thus, Apple\u2019s own macOS protection methods are insufficient by themselves.<\/p>\n

Related: Do Macs need antivirus software?<\/a><\/em><\/p>\n

Do Macs need antivirus software?<\/a><\/p><\/blockquote>\n