New macOS Malware: SysJoker Malware Targets macOS on Intel and M1 Devices

Nicolas Ponce | 01/18/2022

SysJoker Malware Targets macOS on Intel and M1 Devices

The cybersecurity firm Intezer has discovered a backdoor that targets multiple operating systems including Windows, Linux, and macOS on both Intel and M1. 

In December 2021, researchers at Intezer discovered this multiplatform malware and published their findings for the Windows version in January 2022. Patrick Wardle of Objective-See performed an analysis of the macOS variation which details its method of establishing persistence and command and control (C&C) communications.

The executable file ends with a .ts extension which, according to Wardle, may indicate that it is masquerading as a video file. The binary is compiled for both the x86_64 and arm64 architecture allowing it to run on both Intel and M1 Mac devices. 

Once the malware is run, it creates a copy of itself, runs this copy, and then establishes persistence with a Launch Agent .plist file. The malware then downloads a file from Google Drive and decodes this into a C&C server URL. The attacker can then send commands to the malware and retrieve responses with this C&C server.

In response to this discovery, Addigy has come out with a Custom Fact that detects instances of files associated with SysJoker and a Custom Script which removes these files. These are called “SysJoker Malware Detected” and “SysJoker Malware Removal Script” in the Community tab.

Community Resources

New Community Fact: SysJoker Malware Removal Script

New Community Script: SysJoker Malware Detected

A Monitoring item can be created to automatically remediate compromised machines.

 

Indicators of Compromise for macOS (provided in Intezer’s report):

Files and Directories

/Library/MacOsServices
/Library/MacOsServices/updateMacOs
/Library/SystemNetwork
/Library/LaunchAgents/com.apple.update.plist

Hashes

1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac
fe99db3268e058e1204aff679e0726dc77fd45d06757a5fda9eafc6a28cfb8df
d0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0