Intezer researchers disclosed a multi-platform backdoor dubbed "SysJoker" targeting Windows, Mac and Linux computers. ("The Jokers of the Pack" by incurable_hippie is licensed under CC BY-NC 2.0)

Researchers on Tuesday reported finding a new multi-platform backdoor — SysJoker — that hits Windows, Mac and Linux machines.

In a Jan. 11 blog post, Intezer researchers said both the Linux and Mac versions are fully undetected by VirusTotal. The researchers first discovered the SysJoker malware during an active attack on a Linux-based web server of a leading educational institution.

The Intezer researchers believe that SysJoker was initiated during the second half of 2021. They report that SysJoker masquerades as a system update and generates its command and control (C2) by decoding a string retrieved from a text file hosted on a Google Drive. Based on the analysis done by Intezer, the C2 changed three times, which indicates that there’s an active attacker who’s monitoring for infected machines — and going after specific targets.

Most modern organizations operate a variety of platforms, so it comes as no surprise that attackers would want to port their tools to multiple platforms, said John Bambenek, principal threat hunter at Netenrich.

“Well-resourced threat groups will have tools to go after anything in a victim environment and this research shows this group is willing to invest in adapting their techniques to be effective,” Bambenek said. “The recurring use of Google Drive and other online services as part of an attack chain or C2 is a recurring problem that needs to be addressed by the various cloud providers.”

John Hammond, senior security researcher at Huntress, added that Intezer's analysis on SysJoker showcases the newly discovered malware strain using some particularly clever tricks. For example, its process of determining a command-and-control server address by decoding a Google Drive file is very effective  — considering that most users would consider Google a trusted site.

SysJoker offers the same risk as a remote-access Trojan on any other endpoint, whether it’s a physical on-premise device, or a cloud-hosted server — this backdoor offers remote access to the target,” Hammond said. “That can lead to further post-exploitation, like ransomware, defacement, or any damage the threat actors may choose.”

Hammond said one resource security teams should consider for trusted sites and well-known providers that might be abused for phishing, exfiltration, or C2 is the "Living Off Trusted Sites" project by a security researcher known as mrd0x. The listing for Google Drive outlines the technique.