|
Getting your Trinity Audio player ready... |
Rust-based SysJoker Backdoor: A New Wave of Malware Targeting Multiple Platforms
The emergence of Rust-based SysJoker malware marks a significant threat to users across Windows, Linux, and Mac platforms. Initially identified by Intezer in 2022, this multi-platform backdoor has been utilized in targeted attacks by a Hamas-affiliated APT against Israel. Notably, SysJoker demonstrates a shift in tactics, including the use of OneDrive for dynamic C2 (command and control server) URLs, bypassing traditional reputation-based services.
Evolution of SysJoker
Recent findings by Checkpoint researchers shed light on the Rust-based SysJoker backdoor, showcasing its complex execution flow. The malware, known for its unpredictable sleep intervals, possibly employs these as anti-analysis tactics. SysJoker’s OneDrive usage enables attackers to effortlessly update the C2 server address, posing a significant challenge for cybersecurity efforts.
The malware’s capability to gather crucial system information like Windows version, username, and MAC address has been noted. However, the latest Rust version shows a deviation from its predecessors, lacking the ability to download and execute remote files.
Windows Variants of SysJoker
Two additional SysJoker samples have been discovered, displaying increased complexity compared to the Rust variant. These samples, written in C++, involve a multi-stage execution flow, indicating an evolution in the malware’s development.
Link to Hamas Hackers and Operation Electric Powder
The connection between the SysJoker backdoor and ‘Operation Electric Powder,’ dating back to 2016-2017, has been established. This operation, involving cyber-attacks targeting Israel, is believed to be orchestrated by the Hamas-affiliated ‘Gaza Cybergang.’ The new SysJoker variant, submitted to VirusTotal in October 2023, aligns with the escalation of tensions between Israel and Hamas.
SysJoker’s primary function involves fetching and loading additional payloads, with its communication primarily handled through a OneDrive URL. Despite its advanced capabilities, the malware currently lacks command execution features seen in earlier versions.
Conclusion
While the full extent of SysJoker’s impact and its definitive ties to the Hamas-affiliated group remain under investigation, its emergence underscores the evolving landscape of cybersecurity threats. Users across multiple platforms must remain vigilant against such sophisticated malware.
Photo by Ryunosuke Kikuno on Unsplash
