Hamas-Linked APT Wields New SysJoker Backdoor Against Israel

  /     /     /  
Publicated : 23/11/2024   Category : security


Hamas-Linked APT Wields New SysJoker Backdoor Against Israel


Gaza Cybergang is using a version of the malware rewritten in the Rust programming language.



Attackers linked to the Palestinian militant group
Hamas
are using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel as the current
conflict
between the two continues despite a current pause in the fighting.
An advanced persistent threat (APT) group, believed to be Gaza Cybergang (aka Molerats), is attacking Israel targets with a Rust-based version of
SysJoker
, an unattributed, multi-platform backdoor first
discovered
by Intezer in 2021, researchers from Check Point revealed in
a blog post
late last week.
The latest variant maintains similar functionalities to the original malware, but has been completely rewritten from its original language C++ to the Rust programming language, signaling a significant evolution in the malware, the researchers noted. The APT also uses OneDrive instead of Google Drive, used in previous variants, to store dynamic command-and-control (C2) server URLs.
Since there is no straightforward method to port that code to
Rust
, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements, the researchers noted.
The
platform-agnostic Rust
, first released eight years ago, is a programming language increasingly favored
by organizations
and hackers alike mainly because of its security features, making it harder to detect and reverse-engineer.
The Rust-based variant of SysJoker discovered by Check Point was submitted to VirusTotal on Oct. 12, having been compiled a few months earlier on Aug. 7. Researchers observed some notable evasive features, including the employment of random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures, according to the post.
The variant has two modes of operation that appear aimed at differentiating the first execution from any subsequent ones based on persistence. The mode proceeds to one of two possible stages depending upon the malwares presence in a particular path, C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe.
If the malware runs from persistence, it contacts a OneDrive URL hardcoded and encrypted inside the binary to retrieve the C2 server address. Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services, according to the post. This behavior remains consistent across different versions of SysJoker.
If the sample runs from a different location — which would indicate that its the first time the sample is executed — the malware copies itself to the path C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe and then runs itself from the newly created path using PowerShell.
SysJoker then proceeds to collect information about the infected system, including the Windows version, username, MAC address, and various other data to send back to the C2.
In addition to the newly found Rust variant, Check Point also uncovered two more new SysJoker samples that are slightly more complex.
Check Point also found a connection between the latest attacks using the Rust-based SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company attributed to Gaza Cybergang — despite the significant time gap between the operations. The Electric Powder Operation, revealed
in a report by ClearSky
, used phishing and fake Facebook pages to deliver both Windows and Android malware.
Both campaigns used API-themed URLs and implemented script commands in a similar fashion, the researchers noted. There also are similarities between a PowerShell command used for persistence in the latest SysJoker attacks and the Electric Powder Operation, they said.
The unique PowerShell command is a string associated with custom encryption used by SysJoker alongside two other strings — the OneDrive URL containing the final C2 address and the C2 address received from the request to OneDrive, the researchers noted.
It is shared between multiple variants of SysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously reported by ClearSky, according to the post.
Check Point included a list of indicators of compromise (IOCs) and hashes associated with the SysJoker attacks to help organizations identify if they have been targeted. Endpoint protection and threat emulation tools can also help secure and protect potential victims against compromise.

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hamas-Linked APT Wields New SysJoker Backdoor Against Israel