Beware of SysJoker, new malware that affects Windows, Linux and macOS

1015305.jpeg
1015305.jpeg

Is called SysJoker, and it is a malware recently discovered by the cybersecurity company Intezer very dangerous because affects both Windows, macOS and Linux. Among other things, the malware was identified in the course of an attack conducted on a Linux-based web server, and the online file scanning platform VirusTotal was unable to identify it for either Mac or Linux (for Windows instead Yes).

SysJoker is to be precise a backdoor, therefore a potential spying tool available to the hacker who controls it, which however does not in itself contain attacks with an immediate tangible impact such as ransomware. Of course, once there is a breach in a system, it is much easier for all the rest of the defenses to collapse, so to speak. In any case, even the theft of potentially highly sensitive personal data (bank credentials or credit card numbers, for example) is an equally serious threat – and far more subtle precisely because it is difficult to see.

The good news is that SysJoker is not an attack that can be launched remotely and that leaves no defense to the user. In fact, it disguises itself as a software update, therefore must be actively downloaded and installed. The malware is written in C ++ and includes multiple variants that activate based on the target operating system.


The virus was first identified in December, and for the moment it is difficult to determine precisely which antivirus can detect it – outside of those produced by Intezer itself, of course. The company offers on its official blog a series of generic checks that can be performed to make sure they are clean, but, in fact, they are generic and require a certain level of competence. Let’s put it this way: if you haven’t recently downloaded a software update from some weird site you can be reasonably sure you’re okay.

In any case, Intezer notes that whoever wrote it probably knows his stuff: to begin with it is written completely from scratch, not reusing code from other malware as it often happens; and for three different operating systems. It also exploits vulnerabilities that were not previously known, which is particularly rare when looking at Linux. Finally, at least 4 different domains were registered for the C&C server, and the attack was very cautious and reasoned: during the Intezer analyzes no commands sent by the server or a real attack phase after infiltration were recorded .