A Unique Remote Access Trojan For Windows, Linux And MacOS
In general it is nice to see software which supports all major operating systems and which was written from scratch; except when it is a virus. SysJoker was just discovered thanks to some impressive work from the security firm Intezer and as it is not detected by AV scans it is hard to say just how long it has been out and circulating nor how widespread the RAT is. The trojan seems to have been written from scratch in C++ and has four separate command-and-control servers, indicating this was not created by amateurs but instead likely has some sort of support behind it. That theory is somewhat strengthened by the Apple version sports an ad-hoc digital signature.
The files all bear a .ts extension, on Apple that indicates a video transport stream file while on Windows it is a Type Script though obviously SysJoker is neither. Once infected a machine will reach out to a Google Doc to receive an encoded string which contains the current domain for the command-and-control servers and that changed three times while the security team was investigating.
This is likely to be a targeted attack, unlikely to pop up on any old computer however as it is not yet known how the RAT got onto infected machines there is no reason to think it won’t spread, especially if you are connecting to a system which has already fallen victim to SysJoker. Ars Technica is keeping an eye on the story here.
Analyses of the Windows version (by Intezer) and the version for Macs (by researcher Patrick Wardle) found that SysJoker provides advanced backdoor capabilities. Executable files for both the Windows and macOS versions had the suffix .ts.