New Rust-based SysJoker backdoor linked to Hamas hackers

A new version of the multi-platform malware known as 'SysJoker' has been spotted, featuring a complete code rewrite in the Rust programming language.

SysJoker is a stealthy Windows, Linux, and macOS malware first documented by Intezer in early 2022, who discovered and analyzed C++ versions at the time.

The backdoor featured in-memory payload loading, a plethora of persistence mechanisms, "living off the land" commands, and a complete lack of detection for all its OS variants on VirusTotal.

Examination of the new Rust-based variants by Check Point has established a connection between the previously unattributed backdoor and 'Operation Electric Powder,' which dates back to 2016-2017.

This operation involved a series of cyber-attacks targeting Israel, believed to be orchestrated by a Hamas-affiliated threat actor known as 'Gaza Cybergang.'

New SysJoker

The Rust-based variant of SysJoker was first submitted to VirusTotal on October 12, 2023, coinciding with the escalation of the war between Israel and Hamas.

The malware employs random sleep intervals and complex custom encryption for code strings to evade detection and analysis.

On the first launch, it performs registry modification for persistence using PowerShell and exits. Upon later executions, it establishes communication with the C2 (command and control) server, the address for which it retrieves from a OneDrive URL.

SysJoker's primary role is to fetch and load additional payloads on the compromised system, directed via the reception of JSON-encoded commands.

While the malware still collects system information like OS version, username, MAC address, etc., and sends it to the C2, it lacks the command execution capabilities seen in previous versions. This might return in a future release or have been stripped by the backdoor's developers to make it lighter and stealthier.

Check Point discovered two more SysJoker samples they named 'DMADevice' and 'AppMessagingRegistrar' based on their specific characteristics, but states that they all follow similar operational patterns.

Possible ties to Hamas

The specific element that allowed Check Point to potentially link SysJoker to the Hamas-affiliated threat group 'Gaza Cybergang' is utilizing the 'StdRegProv' WMI class in the PowerShell command used for establishing persistence.

This method was seen in past attacks against the Israel Electric Company, part of the 'Operation Electric Powder' campaign.

Other similarities between the activities include the implementation of certain script commands, the data collection methods, and using API-themed URLs.

All that said, and given the existing evidence, the confidence in the attribution is not conclusive.