November 27, 2023 at 12:48PM
Palestinian militant group Hamas is using a revamped version of the SysJoker backdoor to target Israel, according to researchers from Check Point. The new variant, written in the Rust programming language, maintains similar functionality but has been completely rewritten. The group is also using OneDrive for command-and-control server URLs. The researchers noted similarities with previous attacks attributed to Gaza Cybergang. Check Point has provided indicators of compromise to help organizations identify potential targets.
Meeting Takeaways:
1. The Palestinian militant group Hamas is using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel during the ongoing conflict.
2. The Gaza Cybergang, also known as Molerats, is believed to be behind these attacks using a Rust-based version of SysJoker.
3. The Rust-based variant of SysJoker has been completely rewritten from C++ to Rust, indicating a significant evolution in the malware. Rust is favored by hackers and organizations due to its security features that make it harder to detect and reverse-engineer.
4. The new variant uses OneDrive instead of Google Drive to store dynamic command-and-control (C2) server URLs, allowing attackers to easily change the C2 address and stay ahead of reputation-based services.
5. The malware has evasive features, including random sleep intervals and different modes of operation based on persistence.
6. SysJoker collects information about the infected system, such as Windows version, username, MAC address, and sends it back to the C2.
7. Check Point discovered a link between the latest Rust-based SysJoker attacks and the 2016-2017 Electric Powder Operation attributed to Gaza Cybergang, suggesting a connection between the two campaigns.
8. Check Point provides indicators of compromise (IOCs) and hashes associated with the SysJoker attacks to help organizations identify if they have been targeted. Endpoint protection and threat emulation tools are recommended to secure potential victims.