November 24, 2023 at 05:36AM
Researchers have discovered a Rust version of the cross-platform backdoor SysJoker, indicating its use by a Hamas-affiliated group to target Israel. The malware has undergone significant changes, using Rust language instead of its previous version. The threat actor has also switched from Google Drive to OneDrive for storing command-and-control server URLs. The use of OneDrive allows the attackers to easily change the C2 address, helping them evade reputation-based services. SysJoker can execute remote commands and download additional malware onto victim machines. The backdoor shows similarities to malware used during Operation Electric Powder, linked to a Hamas-affiliated group known as Molerats.
Summary:
– Cybersecurity researchers have identified a Rust variant of a cross-platform backdoor called SysJoker.
– The malware was used by a Hamas-affiliated threat actor to target Israel during the ongoing war in the region.
– The Rust version of SysJoker has undergone significant changes, including a shift to the Rust language and the use of OneDrive instead of Google Drive for storing command-and-control server URLs.
– SysJoker is a cross-platform backdoor capable of gathering system information, establishing contact with an attacker-controlled server, executing commands remotely, and downloading and executing new malware.
– The Rust variant employs random sleep intervals to evade sandboxes.
– OneDrive is used to retrieve the encrypted and encoded command-and-control server address.
– Once a connection with the server is established, additional payloads are executed on the compromised host.
– There are similarities between SysJoker and malware samples used in the Operation Electric Powder campaign, suggesting a possible connection between the attacks.
– SysJoker has not yet been attributed to a specific threat actor or group.