New SysJoker Backdoor Targets Windows, Linux, and macOS

SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution.
After further investigation, Intezer found that SysJoker also has Mach-O and Windows PE versions.
Based on Command and Control (C2) domain registration and samples found in VirusTotal, they estimate that the SysJoker attack was initiated during the second half of 2021.

SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.
During the analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines.
Based on victimology and malware's behavior, they assess that SysJoker is after specific targets.

SysJoker was uploaded to VirusTotal with the suffix .ts which is used for TypeScript files.
A possible attack vector for this malware is via an infected npm package.

The malware is written in C++ and each sample is tailored for the specific operating system it targets. Both the macOS and Linux samples are fully undetected in VirusTotal.

SysJoker's behavior is similar for all three operating systems.

Unlike Mac and Linux samples, the Windows version contains a first-stage dropper.
The dropper (d71e1a6ee83221f1ac7ed870bc272f01) is a DLL that was uploaded to VirusTotal as style-loader.ts.

The Dropper drops a zipped SysJoker (53f1bb23f670d331c9041748e7e8e396) from C2 https[://]github[.]url-mini[.]com/msg.zip, copies it to C:ProgramDataRecoverySystemrecoveryWindows.zip, unzips it and executes it. All of these actions are executed via PowerShell commands.