SysJoker Malware: Hamas-Related Threat Expands With Rust Variant

Written by

The SysJoker malware has been linked to targeted attacks by a Hamas-affiliated threat actor during the Israel-Hamas conflict. 

The unattributed multi-platform backdoor has undergone significant changes, with a shift to the Rust programming language, indicating a complete code rewrite while maintaining similar functionalities.

According to an advisory published by Check Point Research (CPR) last week, one of the key modifications involves the use of OneDrive instead of Google Drive for storing dynamic command-and-control (C2) server URLs, providing the threat actor with flexibility in changing C2 addresses.

“The earlier versions of the malware were coded in C++,” reads the advisory. “Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.”

Analysis of new SysJoker variants also revealed connections to Operation Electric Powder, a series of targeted attacks against Israeli organizations between 2016-2017, previously linked to the Gaza Cybergang (aka Molerats). Both campaigns share a unique PowerShell command based on the StdRegProv WMI class.

The Rust variant of SysJoker, submitted to VirusTotal as “php-cgi.exe” on October 12 2023, employs random sleep intervals to potentially evade sandbox and analysis measures. It operates in two modes based on its presence in a specific path. During the first execution, the malware establishes persistence through PowerShell, while subsequent executions retrieve C2 server addresses from OneDrive.

The malware collects system information, including Windows version, username and MAC address, and transmits it to the C2 server. The C2 communication involves a registration process and a main loop for executing commands received from the server.

Read more on SysJoker: New "Undetected" Backdoor Runs Across Three OS Platforms

In addition to the Rust variant, two previously undisclosed Windows variants of SysJoker were identified: DMADevice and AppMessagingRegistrar. These variants exhibit more complexity, with multi-stage execution flows, including downloader, installer and payload components.

What’s hot on Infosecurity Magazine?