Hamas-Linked Group Revives SysJoker Malware, Leverages OneDrive

2 months ago 22

Originally identified in December 2021, the SysJoker Malware is recognized for its capability to target Windows, macOS, and Linux systems.

Amid the escalating tensions in the Israel-Hamas conflict, Check Point Research’s (CPR) team has unearthed a new variant of a multi-platform backdoor SysJoker. According to CPR, which has been monitoring the cybersecurity activities in the two countries, SysJoker malware was used by a Hamas-affiliated APT (advanced persistent threat) group to target Israel recently.

For your information, SysJoker was discovered by Intezer in 2021. It is a multi-platform backdoor, which means it can target Windows, macOS, and Linux systems. The malware has been under active evolution since its discovery and today it is equipped with a range of tactics to evade detection. The new SysJoker variant is written in Rust language.

In their technical report, CPR researchers noted that the malware code has been rewritten completely but the malware still maintains its original functionalities. The primary modification is that instead of Google Drive, the Rust variant utilizes OneDrive to store dynamic C2 URLs.

SysJoke features two different modes for string decryption. The first method is rather simple and part of many SysJoker variants. It entails multiple base64-encoded encrypted data blobs and a base64-encoded key.

When decrypting, it decodes both base64 blobs and XORs them to produce plain text strings. The second method is much more complex and involves generating a complex string decryption algorithm.

In its report shared with Hackread.com ahead of publication on Tuesday, cybersecurity researchers at Check Point Research revealed that “The infrastructure used in this campaign is configured dynamically. First, the malware contacts a OneDrive address, and from there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a hardcoded XOR key and base64-encoded.”

The report offers in-depth insights on the Rust variant of SysJoker and its Windows variants with their attributions along with infection vectors, the C2 communication mechanism, and malware’s functionalities, which include downloading/uploading files, executing commands, and capturing screenshots.

Hamas-Linked Group Revives SysJoker Malware, Leverages OneDriveThe screenshot shared by CPR shows the metadata of the OneDrive file containing the encrypted C2 server

“It is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and execute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in the Rust version,” researchers noted.

Researchers found evidence of the malware’s ties to Gaza Cybergang as they have used it in their previous campaigns. They also found behavioural similarities between SysJoker’s new variants and the Operation Electric Powder campaign, which crippled Israeli organizations in 2016-2017.

This campaign was also loosely connected to Gaza Cybergang. This gang is reportedly pro-Palestine and often launches attacks to safeguard Palestinian interests. Nevertheless, the resurgence of SysJoker malware adds to the arsenal of cyberweapons employed by hacktivists. Before this incident, Hamas hackers were discovered using a new Linux malware named BiBi-Linux Wiper against Israeli targets.

Hackers Target Israeli Rocket Alert App Users with Spyware Pro-Palestinian TA402 APT Using IronWind Malware in New Attack Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware Deadglyph Backdoor Linked to Stealth Falcon APT in the Middle East Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine Gelsemium APT Group Uses “Rare” Backdoor in Southeast Asian Attack
Read Entire Article