- One of the most secure laptops I've tested this year is also one of the lightest
- ShrinkLocker Ransomware: What You Need To Know
- The best iPhone 15 screen protectors of 2024: Expert tested
- I've tested a lot of AI tools for work. These 4 actually help me get more done every day
- The best power banks you can buy in 2024: Expert tested and reviewed
SysJoker Malware: Hamas-Related Threat Expands With Rust Variant
The SysJoker malware has been linked to targeted attacks by a Hamas-affiliated threat actor during the Israel-Hamas conflict.
The unattributed multi-platform backdoor has undergone significant changes, with a shift to the Rust programming language, indicating a complete code rewrite while maintaining similar functionalities.
According to an advisory published by Check Point Research (CPR) last week, one of the key modifications involves the use of OneDrive instead of Google Drive for storing dynamic command-and-control (C2) server URLs, providing the threat actor with flexibility in changing C2 addresses.
“The earlier versions of the malware were coded in C++,” reads the advisory. “Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.”
Analysis of new SysJoker variants also revealed connections to Operation Electric Powder, a series of targeted attacks against Israeli organizations between 2016-2017, previously linked to the Gaza Cybergang (aka Molerats). Both campaigns share a unique PowerShell command based on the StdRegProv WMI class.
The Rust variant of SysJoker, submitted to VirusTotal as “php-cgi.exe” on October 12 2023, employs random sleep intervals to potentially evade sandbox and analysis measures. It operates in two modes based on its presence in a specific path. During the first execution, the malware establishes persistence through PowerShell, while subsequent executions retrieve C2 server addresses from OneDrive.
The malware collects system information, including Windows version, username and MAC address, and transmits it to the C2 server. The C2 communication involves a registration process and a main loop for executing commands received from the server.
Read more on SysJoker: New “Undetected” Backdoor Runs Across Three OS Platforms
In addition to the Rust variant, two previously undisclosed Windows variants of SysJoker were identified: DMADevice and AppMessagingRegistrar. These variants exhibit more complexity, with multi-stage execution flows, including downloader, installer and payload components.
