A new variant of the SysJoker malware [1] [3], called phpcgiexe [1], has been discovered by researchers. This variant is developed in the Rust programming language and represents a significant advancement in malware development [3]. It offers improved performance and enhanced security evasion capabilities [3].
Description
The threat actor behind this variant, known as Molerats or Gaza Cybergang [3], has made notable changes in their tactics. They have shifted from using Google Drive to Microsoft OneDrive for command and control server communications [3]. This adaptability makes it more challenging for security services to track and neutralize the threat [3].
The SysJoker malware is a cross-platform backdoor that can gather system information [4] [5], establish contact with an attackercontrolled server [2] [4] [5] [6], execute commands remotely [2] [4] [6], and download and execute new malware on compromised machines [2] [6]. The Rust variant of SysJoker employs random sleep intervals to evade sandboxes [2] [4] [6]. It retrieves the encrypted and encoded commandandcontrol server address from OneDrive [2] [4] [6], allowing the attackers to easily change the address and stay ahead of reputationbased services [2] [4] [6]. The backdoor awaits additional payloads from the server [6], which are then executed on the compromised host [6].
Investigations have revealed overlaps between SysJoker and malware samples used in Operation Electric Powder [6], a targeted campaign against Israeli organizations from 2016 to 2017 [1] [4]. This suggests that the same threat actor [6], Molerats [2] [3] [4] [5] [6], is responsible for both attacks [4] [6]. Ongoing investigations have also uncovered more complex versions of SysJoker [3], highlighting its role as a significant tool in cyber espionage and warfare [3].
Researchers have found evidence linking SysJoker and its newer variants to the IsraeliHamas conflict [1], specifically the 20162017 Electric Powder Operation against Israel Electric Company [1].
Conclusion
The discovery of the SysJoker malware variant developed in Rust programming language signifies a significant evolution in malware development [3]. Its improved performance and enhanced security evasion capabilities pose a greater challenge for security services. The shift from Google Drive to Microsoft OneDrive for command and control server communications adds to the adaptability of the threat actor, making tracking and neutralization more difficult.
The overlaps between SysJoker and malware samples used in Operation Electric Powder suggest that the same threat actor, Molerats [2] [3] [4] [5] [6], is responsible for both attacks [4] [6]. Ongoing investigations have revealed more complex versions of SysJoker [3], highlighting its role as a significant tool in cyber espionage and warfare [3].
Furthermore, the connection between SysJoker and the IsraeliHamas conflict, particularly the 20162017 Electric Powder Operation [1], underscores the realworld impact and implications of this malware. It is crucial for organizations and security services to remain vigilant and implement effective mitigations to protect against this evolving threat.
References
[1] https://securityonline.info/hamas-linked-sysjoker-backdoor-a-persistent-threats-new-dangerous-facade/
[2] https://patabook.com/technology/2023/11/25/hamas-linked-cyberattacks-using-rust-powered-sysjoker-backdoor-against-israel/
[3] https://cisotimes.com/hamas-linked-apt-group-targeting-israeli-entities/
[4] https://www.redpacketsecurity.com/hamas-linked-cyberattacks-using-rust-powered-sysjoker-backdoor-against-israel/
[5] https://cybermaterial.com/sysjoker-evolution-unveiling-cyber-threat/
[6] https://thehackernews.com/2023/11/hamas-linked-cyberattacks-using-rust.html
