New SysJoker’s Backdoor Upgrade – Rust Language Adoption Raises Cybersecurity Stakes, Possible Hamas Connection
A sophisticated iteration of the notorious multi-platform malware, ‘SysJoker,’ has surfaced, showcasing a complete code overhaul in the Rust programming language.
Initially documented by Intezer in early 2022, SysJoker infiltrates Windows, Linux, and macOS systems, employing stealthy techniques. Known for its in-memory payload loading and diverse persistence mechanisms, the malware, identified by its “living off the land” commands, managed to escape detection across all OS variants on VirusTotal.
Upon scrutinizing the new Rust-based versions, cybersecurity experts at Check Point identified a connection to the previously unattributed backdoor and ‘Operation Electric Powder,’ a series of cyber-attacks dating back to 2016-2017, primarily targeting Israel. This operation is believed to be orchestrated by a Hamas-affiliated threat actor known as ‘Gaza Cybergang.’
SALE: Benefit from discounted prices on our Courses from 24/11 to 06/12.
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Rust-based SysJoker variant
The Rust-based SysJoker variant made its debut on VirusTotal on October 12, 2023, aligning with the escalation of the conflict between Israel and Hamas. To evade detection and analysis, the malware incorporates random sleep intervals and complex custom encryption for code strings.
Upon execution, the malware initiates registry modifications for persistence using PowerShell during its first launch. Subsequent executions establish communication with the Command and Control (C2) server, the address of which is retrieved from a OneDrive URL.
SysJoker’s primary function revolves around fetching and loading additional payloads on compromised systems, dictated by JSON-encoded commands. While it continues to collect system information, such as OS version, username, MAC address, etc., and transmits it to the C2, the Rust variant lacks the command execution capabilities seen in its predecessors. This alteration could indicate a strategic decision to reduce the backdoor’s weight and enhance its stealth.
Check Point researchers identified two more SysJoker samples, dubbed ‘DMADevice’ and ‘AppMessagingRegistrar,’ noting that they adhere to similar operational patterns.
Drawing a potential connection to the Hamas-affiliated ‘Gaza Cybergang,’ Check Point highlighted the use of the ‘StdRegProv’ WMI class in PowerShell commands for establishing persistence. This technique aligns with past attacks under ‘Operation Electric Powder,’ particularly those targeting the Israel Electric Company.
Despite these similarities, it’s crucial to note that the confidence in attributing SysJoker to ‘Gaza Cybergang’ remains inconclusive, given the available evidence.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
