SysJoker Backdoor Malware Has Been Running Undetected on M1 Macs for Several Months

BY Anu Joy

Published 19 Jan 2022

SysJoker, a backdoor malware, was recently uncovered by security firm Intezer. The malware has been quietly targeting macOS, Windows, and Linux operating systems over the past few months, undetected by antivirus softwares. Security researcher Patrick Wardle called it the first Mac malware of 2022.

Researchers from Intezer first discovered SysJoker on the Linux-based web server of a “leading educational institution.” On digging further, they unearthed that SysJoker versions existed for both Windows and macOS as well. It is estimated that the malware attack was unleashed during the second half of 2021.

What is SysJoker?

SysJoker disguises itself as a system update and generates its own Command and Control (C2) by decoding a string from a text file that is hosted on Google Drive, Intezer explains. It was found that the C2 was never constant, which implies that the attacker is constantly monitoring for infected machines. The security firm concluded that the malware is going after specific targets.

Essentially, SysJoker creates a series of files and registry commands that allow it to run commands on the infected device, install other malware or even command the backdoor to remove itself. The attack has been reportedly performed by an “advanced threat actor,” going by the malware’s capabilities. Intezer adds that “the goal of the attack is espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages.”

SysJoker on macOS: Detection and Prevention

Intezer focused on the Windows version of the malware, so Wardle took it upon himself to explore the effects of the macOS variant. He noticed that the malware masquerades as a video file, but in reality, is a universal binary containing both Intel and arm64 builds. The arm64 build ensures that it can run natively on any Apple silicon Mac. The malware copies itself to the Library/MacOsServices/ directory, so that it will be run each time you restart your infected Mac.

Since this malware has managed to evade antivirus software, you’ll have to check for indicators of compromise (IOCs) that have been listed in Intezer’s report. The malware files are created under “/Library/” and it creates persistence via LaunchAgent under the path /Library/LaunchAgents/

At the end of the day, it’s always best to exercise a few precautions to protect yourself from malware. Do not download pirated software or electronic media from unreliable sources. Avoid clicking on suspicious links or attachments in suspicious emails, always check the URLs first. How do you protect yourself online? Let us know in the comments.

[Via Intezer]