Pierluigi Paganini November 25, 2023
Check Point researchers observed a Hamas-linked APT group is using the SysJoker backdoor against Israeli entities.
In December 2021, security experts from Intezer first discovered the SysJoker backdoor, which is able to infect Windows, macOS, and Linux systems.
The version employed in the attacks against Israel is written in Rust language, which suggests the malware was rewritten from scratch. The experts noticed that the malicious code supports the same functionalities as past variants. The threat actor switched from Google Drive to OneDrive to store dynamic C2 (command and control server) URLs.
“Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services. This behavior remains consistent across different versions of SysJoker.” reads the analysis published by Check Point.
The backdoor collects information about the infected system (i.e. Windows version, username, MAC address). The collected data is sent to the /api/attach
API endpoint on the C2 server.
Once registered with the C2 server, the sample initiates the main C2 loop. It sends a POST request with the unique token to the /api/req endpoint, receiving a JSON response from the C2 server.
In turn, the server responds with a JSON containing a field named “data,” which holds an array of actions for the sample to execute.
Check Point also noticed behavioral similarities with the Operation Electric Powder campaign which targeted Israel in 2016-2017. This campaign was attributed to Gaza Cybergang (aka Molerats), a threat actor that is believed to be linked to the Palestinian organization Hamas.
The Gaza cybergang, aka “Gaza Hackers Team” and “Molerats,” appears to be politically motivated and has been active since at least since 2012, but it has intensified its activity in Q2 2015.
Check Point also discovered two previously undetected additional SysJoker samples that are more complex than the Rust version.
“Although the SysJoker malware, which was first seen in 2021 and publicly described in 2022, wasn’t attributed to any known actor, we found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We were also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company.” concludes the report. “The earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SysJoker backdoor)