SysJoker, a multi-platform malware, has been identified in a novel iteration, showcasing a comprehensive code overhaul implemented in the Rust programming language.
All about SysJoker
Intezer initially documented SysJoker as a covert malware affecting Windows, Linux, and macOS systems in early 2022. During their investigation at that time, they uncovered and analyzed versions written in C++.
The Rust-based iteration of SysJoker was initially detected on VirusTotal on October 12, 2023, coinciding with the escalation of the conflict between Israel and Hamas.
This malware employs random sleep intervals and intricate custom encryption techniques for code strings to elude detection and analysis. Upon its initial launch, it executes registry modifications for persistence using PowerShell before exiting.
Subsequent executions involve establishing communication with the C2 (command and control) server, the address of which is retrieved from a OneDrive URL.
SysJoker’s main function involves fetching and loading additional payloads onto the compromised system, following JSON-encoded commands.
Although the malware continues to gather system information such as OS version, username, MAC address, etc., and transmits it to the C2, it no longer possesses the command execution capabilities observed in earlier versions. This functionality may potentially return in a future release or could have been deliberately removed by the backdoor’s developers to enhance its lightweight and stealthy attributes.
Check Point identified two additional SysJoker samples, labeled ‘DMADevice’ and ‘AppMessagingRegistrar,’ based on distinctive characteristics. Despite these specific designations, Check Point notes that all these samples adhere to similar operational patterns.
The factor that enabled Check Point to potentially associate SysJoker with the Hamas-affiliated threat group ‘Gaza Cybergang’ is the utilization of the ‘StdRegProv’ WMI class in the PowerShell command employed for establishing persistence.
This technique was previously observed in attacks targeting the Israel Electric Company as part of the ‘Operation Electric Powder’ campaign.
Additional parallels in the activities encompass the adoption of specific script commands, data collection methodologies, and the utilization of URLs with an API theme.