New “SysJoker” cross-platform exploit now can infect machines with different OSes.
Interestingly, this exploit uses Universal Binary allowing it to run on Intel and Apple Silicon Macs. Code is signed with ad-hoc certificate. New certificates could be used in the future.
The files and directories created by SysJoker include:
AppleInsider/Library/MacOsServices
/Library/MacOsServices/updateMacOs
/Library/SystemNetwork
/Library/LaunchAgents/com.apple.update.plist
The persistence code is under the pathLibraryLaunchAgents/com.apple.update.plist
. If the files are found on a Mac, it is advised to kill off all related processes and delete the files.
Reference: macOS, Windows, Linux all targeted by new cross-platform exploit
Recommendations
Developer:
Avoid opening files from untrusted sources.QA engineer:
Avoid opening files from untrusted sources.PM/DM:
Avoid opening files from untrusted sources.