November 27, 2023 at 09:57AM
Recently, a new variant of the multi-platform malware called ‘SysJoker’ has been discovered. It has undergone a complete code rewrite in the Rust programming language. This malware, initially documented in early 2022, operates on Windows, Linux, and macOS systems. The new variant has been linked to ‘Operation Electric Powder,’ believed to be orchestrated by the Hamas-affiliated threat group ‘Gaza Cybergang.’ The malware employs various techniques to evade detection and communicates with a command and control server to fetch and load additional payloads. However, the link to Hamas is not conclusive.
Meeting Notes – SysJoker Malware
1. SysJoker is a multi-platform malware that has been recently discovered with a complete code rewrite in the Rust programming language.
2. It was first documented in early 2022 as a Windows, Linux, and macOS malware by Intezer.
3. The malware features in-memory payload loading, multiple persistence mechanisms, “living off the land” commands, and has so far remained undetected across OS variants on VirusTotal.
4. Check Point’s analysis of the new Rust-based variants has found a connection between the previously unattributed backdoor and ‘Operation Electric Powder,’ a series of cyber-attacks targeting Israel between 2016-2017.
5. The Rust-based variant of SysJoker was submitted to VirusTotal on October 12, 2023, coinciding with the escalation of the war between Israel and Hamas.
6. The malware employs random sleep intervals and custom encryption to evade detection and analysis.
7. Upon execution, the malware modifies the registry for persistence using PowerShell and establishes communication with a command and control (C2) server by retrieving the address from a OneDrive URL.
8. SysJoker’s primary function is to fetch and load additional payloads via JSON-encoded commands received from the C2 server.
9. While the malware still collects system information, it lacks the command execution capabilities seen in previous versions, possibly to make it lighter and stealthier.
10. Check Point has discovered two additional samples of SysJoker named ‘DMADevice’ and ‘AppMessagingRegistrar,’ which followed similar operational patterns.
11. Check Point potentially links SysJoker to the Hamas-affiliated threat group ‘Gaza Cybergang’ due to the use of the ‘StdRegProv’ WMI class in the PowerShell command for persistence, as seen in past attacks of the ‘Operation Electric Powder’ campaign.
12. Other similarities include script commands, data collection methods, and the use of API-themed URLs.
13. However, it is important to note that the evidence collected does not conclusively attribute SysJoker to the Gaza Cybergang.