Researchers have discovered a terrifying new form of malware written from scratch. It is designed to target systems running macOS, Windows, and Linux. Before it was found, this piece of backdoor malware was not detectable by any malware scanning engines.

The researchers who discovered the malware work at security firm Intezer. They named it SysJoker and reported it was found in a Linux-based Webserver of a leading educational institution. As the researchers started investigating, they found versions of the malware for Windows and macOS too.

The thinking is that the cross-platform remote access trojan (RAT) was released into the wild in the second half of 2021.

A rare find

The discovery stands out for several reasons. It is rare to see cross-platform malware, with many that are found only intended to target one operating system.

The RAT was also written from scratch and leveraged four separate command-and-control servers, indicating that the people who developed and deployed it were part of an advanced threat source that was willing to put in the money to make this happen.

Another unusual thing is that unseen Linux malware is rarely found in real-world attacks. Analyzing the versions for macOS and Windows showed the malware has top-tier backdoor capabilities.

Espionage, possibly

SysJoker is written in C++ and as of Tuesday, the Linux and macOS versions were still undetectable by the VirusTotal malware search engine. The backdoor generates its control-server domain by decoding a string retrieved from a text file hosted on Google Drive.

During the analysis, researchers recorded three server changes in real-time, showing the attacker was active and monitoring the infected machines.

The researchers’ leading theory is that SyJoker is looking for specific targets, most likely ones beneficial to espionage, which can someday lead to a ransomware attack given enough lateral movement.