Cybersecurity researchers have shed light on the Rust version of the so-called cross-platform backdoor SysJokerwhich is speculated to be used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region.
“One of the most notable changes is the transition to the Rust language, which indicates that the malware code has been completely rewritten, while maintaining the same functionality,” Check Point SAYS in an analysis on Wednesday. “Additionally, the threat actor switched to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs.”
SysJoker was publicly documented by Intezer in January 2022, which described it as a backdoor capable of collecting system information and establishing contact with a server controlled by the attacker by accessing a text file hosted on Google Drive that contains a hard-coded URL.
“Being cross-platform allows malware authors to exploit multiple infections across all major platforms,” VMware SAYS last year. “SysJoker has the ability to execute commands remotely as well as download and execute new malware on victim machines.”
The discovery of a Rust variant of SysJoker points to an evolution of the cross-platform threat, with the implant using random sleep intervals at different stages of its execution, possibly in an effort to avoid sandboxes.
An important transition is to use OneDrive to get the encrypted and C2-encoded server address, which is then parsed to get the IP address and port to use.
“Using OneDrive allows attackers to easily change the C2 address, enabling them to bypass various reputation-based services,” Check Point said. “This behavior remains consistent across different versions of SysJoker.”
After establishing connections to the server, the artifact waits for additional payloads to then be executed on the compromised host.
The cybersecurity company said it also discovered two previously unseen samples of SysJoker designed for Windows that are more sophisticated, one of which uses a multi-stage execution process to launch the malware.
SysJoker has not been formally attributed to any threat actor or group. But newly gathered evidence shows overlap between the backdoor and malware samples used in connection with Operation Electric Powderwhich refers to a targeted campaign against Israeli organizations between April 2016 and February 2017.
“Both campaigns use API-themed URLs and execute script commands in the same way,” Check Point said, raising the possibility that “the same actor is responsible for both attacks.” attack, despite the large time gap between operations.”