- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
SysJoker Malware: Hamas-Related Threat Expands With Rust Variant
The SysJoker malware has been linked to targeted attacks by a Hamas-affiliated threat actor during the Israel-Hamas conflict.
The unattributed multi-platform backdoor has undergone significant changes, with a shift to the Rust programming language, indicating a complete code rewrite while maintaining similar functionalities.
According to an advisory published by Check Point Research (CPR) last week, one of the key modifications involves the use of OneDrive instead of Google Drive for storing dynamic command-and-control (C2) server URLs, providing the threat actor with flexibility in changing C2 addresses.
“The earlier versions of the malware were coded in C++,” reads the advisory. “Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.”
Analysis of new SysJoker variants also revealed connections to Operation Electric Powder, a series of targeted attacks against Israeli organizations between 2016-2017, previously linked to the Gaza Cybergang (aka Molerats). Both campaigns share a unique PowerShell command based on the StdRegProv WMI class.
The Rust variant of SysJoker, submitted to VirusTotal as “php-cgi.exe” on October 12 2023, employs random sleep intervals to potentially evade sandbox and analysis measures. It operates in two modes based on its presence in a specific path. During the first execution, the malware establishes persistence through PowerShell, while subsequent executions retrieve C2 server addresses from OneDrive.
The malware collects system information, including Windows version, username and MAC address, and transmits it to the C2 server. The C2 communication involves a registration process and a main loop for executing commands received from the server.
Read more on SysJoker: New “Undetected” Backdoor Runs Across Three OS Platforms
In addition to the Rust variant, two previously undisclosed Windows variants of SysJoker were identified: DMADevice and AppMessagingRegistrar. These variants exhibit more complexity, with multi-stage execution flows, including downloader, installer and payload components.
