Researchers studying cybersecurity have uncovered SysJoker, a cross-platform backdoor implemented in Rust that is thought to have been utilized by a threat actor connected to Hamas to attack Israel during the current conflict in the region.
“Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities,” Check Point reported in its investigation on Wednesday. “In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs.”
Intezer released a public description of SysJoker in January 2022, characterizing it as a backdoor that can access a text file housed on Google Drive that has a hard-coded URL, allowing it to gather system information and establish contact with an attacker-controlled server.
“Being cross-platform allows the malware authors to gain advantage of wide infection on all major platforms,” VMware stated in 2017. “SysJoker has the ability to execute commands remotely as well as download and execute new malware on victim machines.”
The cross-platform threat appears to have evolved with the discovery of a Rust variation of SysJoker. At different stages of its execution, the implant uses unpredictable sleep periods, probably in an attempt to avoid sandboxes.
The use of OneDrive to obtain the encoded and encrypted C2 server address, which is then parsed to extract the IP address and port to be used, is one notable change.
“Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services,” according to Check Point. “This behavior remains consistent across different versions of SysJoker.”
The artifact waits for more payloads to be sent to the compromised host after it has established a connection with the server.
The cybersecurity firm claimed to have also found two far more sophisticated SysJoker versions for Windows that had never been seen before, one of which used a multi-stage execution procedure to spread the virus.
As of yet, SysJoker has not been officially linked to any threat actor or organization. However, recently acquired information reveals similarities between the malware strains and backdoor utilized in relation to Operation Electric Powder, a targeted offensive against Israeli companies that took place between April 2016 and February 2017.
McAfee connected this behavior to Molerats, a threat actor associated with Hamas (also known as Extreme Jackal, Gaza Cyber Gang, and TA402).
Check Point discovered that “both campaigns used API-themed URLs and implemented script commands in a similar fashion,” which suggests that “the same actor is responsible for both attacks, despite the large time gap between the operations.”
