Check Point Research has been closely monitoring the active development of SysJoker, a cross-platform backdoor that is believed to have been utilized by a Hamas-linked hacker group to target Israel. This sophisticated malware has undergone significant changes, including a transition from the programming language C to Rust, indicating a complete rewrite of the code while maintaining similar functionality.
One notable change in SysJoker is the shift from using Google Drive to OneDrive for storing dynamic Command and Control (C2) server URLs. By making this switch, the attackers have altered their infrastructure, potentially making it more challenging to track their activities.
One variant of SysJoker, written in Rust, was submitted to VirusTotal under the name php-cgi.exe. This particular version of the malware employs random sleep intervals at different stages of execution, which may serve as an anti-analysis measure. By introducing these sleep intervals, the attackers aim to evade detection by security researchers and hinder the analysis of their malicious code.
The SysJoker backdoor is designed to collect various information about the infected system, including the Windows version, username, MAC address, IP address, and other relevant data. This collected information is then sent to the C2 server, allowing the attackers to gain insights into the compromised systems.
During the analysis of the new SysJoker variants, researchers discovered previously undisclosed samples that were linked to Operation Electric Powder. This series of targeted attacks occurred between 2016 and 2017 and targeted Israeli organizations. These attacks were indirectly associated with the Gaza Cybergang, also known as the Gaza Hackers Team or MoleRATs, a hacker group believed to operate from Palestine.
Researchers concluded that there is evidence of SysJoker’s involvement in the ongoing Israeli-Hamas conflict. Additionally, they were able to establish a connection between SysJoker and the Electric Powder Operation against the Israel Electric Company, which occurred in 2016-2017.
In a separate incident in 2017, Palo Alto Networks uncovered a malicious campaign conducted by the Gaza Cybergang group, specifically targeting government organizations. This campaign employed two malware samples: the Downeks loader and the QuasarRAT remote access trojan. Notably, these malware samples were designed to target users who speak Hebrew, indicating a targeted approach by the attackers.
The continuous development and adaptation of SysJoker highlight the persistent efforts of hacker groups to evolve their tactics and techniques. By utilizing a new programming language and altering their infrastructure, the attackers aim to bypass security measures and maintain their ability to infiltrate targeted systems.
As organizations and individuals alike face the growing threat landscape, it is crucial to stay vigilant and employ robust security measures to protect against sophisticated malware like SysJoker. Regularly updating security software, practicing strong password hygiene, and staying informed about the latest threats can help mitigate the risks associated with these evolving cyberattacks.