Hamas-Linked APT Wields New SysJoker Backdoor Against Israel

Attackers linked to the Palestinian militant group Hamas are using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel as the current conflict between the two continues despite a current pause in the fighting.

An advanced persistent threat (APT) group, believed to be Gaza Cybergang (aka Molerats), is attacking Israel targets with a Rust-based version of SysJoker, an unattributed, multi-platform backdoor first discovered by Intezer in 2021, researchers from Check Point revealed in a blog post late last week.

The latest variant maintains similar functionalities to the original malware, but has been completely rewritten from its original language C++ to the Rust programming language, signaling a significant evolution in the malware, the researchers noted. The APT also uses OneDrive instead of Google Drive, used in previous variants, to store dynamic command-and-control (C2) server URLs.

"Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements," the researchers noted.

The platform-agnostic Rust, first released eight years ago, is a programming language increasingly favored by organizations and hackers alike mainly because of its security features, making it harder to detect and reverse-engineer.

New SysJoker in Play

The Rust-based variant of SysJoker discovered by Check Point was submitted to VirusTotal on Oct. 12, having been compiled a few months earlier on Aug. 7. Researchers observed some notable evasive features, including the employment of "random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures," according to the post.

The variant has two modes of operation that appear aimed at differentiating the first execution from any subsequent ones based on persistence. The mode proceeds to one of two possible stages depending upon the malware's presence in a particular path, C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe.

If the malware runs from persistence, it contacts a OneDrive URL hardcoded and encrypted inside the binary to retrieve the C2 server address. "Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services," according to the post. "This behavior remains consistent across different versions of SysJoker."

If the sample runs from a different location — which would indicate that it's the first time the sample is executed — the malware copies itself to the path C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe and then runs itself from the newly created path using PowerShell.

SysJoker then proceeds to collect information about the infected system, including the Windows version, username, MAC address, and various other data to send back to the C2.

In addition to the newly found Rust variant, Check Point also uncovered two more new SysJoker samples that are slightly more complex.

Links to Previous Attack

Check Point also found a connection between the latest attacks using the Rust-based SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company attributed to Gaza Cybergang — despite the significant time gap between the operations. The Electric Powder Operation, revealed in a report by ClearSky, used phishing and fake Facebook pages to deliver both Windows and Android malware.

Both campaigns used API-themed URLs and implemented script commands in a similar fashion, the researchers noted. There also are similarities between a PowerShell command used for persistence in the latest SysJoker attacks and the Electric Powder Operation, they said.

The "unique" PowerShell command is a string associated with custom encryption used by SysJoker alongside two other strings — the OneDrive URL containing the final C2 address and the C2 address received from the request to OneDrive, the researchers noted.

"It is shared between multiple variants of SysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously reported by ClearSky," according to the post.

Check Point included a list of indicators of compromise (IOCs) and hashes associated with the SysJoker attacks to help organizations identify if they have been targeted. Endpoint protection and threat emulation tools can also help secure and protect potential victims against compromise.