NEWS  Security  November 29, 2023  Reading time: 2 Minute(s)

Max (RS editor)

In the midst of the tensions in the Israel-Hamas conflict, Check Point Research (CPR) has uncovered a renewed threat – a fresh variant of the multi-platform backdoor SysJoker. CPR's cybersecurity team, actively monitoring activities in the region, revealed that a Hamas-affiliated APT (advanced persistent threat) group recently deployed the SysJoker malware against Israel.

SysJoker is a versatile multi-platform backdoor designed to target Windows, macOS, and Linux systems. Since its discovery, the malware has undergone continuous evolution, now boasting a range of tactics aimed at evading detection. The latest variant of SysJoker is coded in Rust language.

According to CPR's technical report, the malware's code has undergone a complete rewrite while retaining its original functionalities. A significant modification involves the shift from Google Drive to OneDrive for storing dynamic C2 (Command and Control) URLs.

SysJoker employs two distinct modes for string decryption. The first, found in many SysJoker variants, involves multiple base64-encoded encrypted data blobs and a base64-encoded key. The second, more complex method utilizes a sophisticated string decryption algorithm.

The infrastructure of this campaign is dynamic, with the malware initially contacting a OneDrive address. From there, it decrypts a JSON containing the C2 address for communication, encrypted with a hardcoded XOR key and base64-encoded.

CPR's report delves into the Rust variant of SysJoker, detailing its Windows variants, attributions, infection vectors, C2 communication mechanism, and functionalities, including file download/upload, command execution, and screenshot capture. Notably, the Rust version lacks the capability, present in previous SysJoker operations, to execute commands dictated by operators.

Researchers uncovered ties between the malware and the Gaza Cybergang, observing behavioral similarities with the Operation Electric Powder campaign that impacted Israeli organizations in 2016-2017. The Gaza Cybergang, known for its pro-Palestine stance, often launches attacks in defense of Palestinian interests.

The resurgence of SysJoker malware further expands the arsenal of cyberweapons wielded by hacktivists. Prior to this incident, Hamas hackers were identified deploying a new Linux malware, BiBi-Linux Wiper, against Israeli targets, underscoring the ongoing cyber warfare in the region.

 COVER IMAGE BY ALEKSANDARLITTLEWOLF ON FREEPIK