SysJoker malware, a multi-platform backdoor with several variants for Windows, Linux, and Mac, has been observed being used by a Hamas-affiliated APT to target Israel. This malware was first identified by Intezer in 2021 and was recently used in targeted attacks.
Checkpoint researchers disclosed the malware’s growth, variations in the intricacy of its execution flow, and most recent switch to the Rust language and the recent infrastructure it uses.
Furthermore, the threat actor switched from using Google Drive to OneDrive to keep dynamic C2 (command and control server) URLs.
This allows them to maintain an advantage over various reputation-based services. This behavior is constant throughout the various SysJoker versions.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Rust version of SysJoker
During analysis, at certain points throughout its execution, the malware uses unpredictable sleep intervals, which the researchers say could be anti-analysis or anti-sandbox methods.
SysJoker uses OneDrive to reach a URL to obtain the C2 server address. Attackers can simply modify the C2 address by using OneDrive, which gives them an advantage over other reputation-based services.
“The malware collects information about the infected system, including the Windows version, username, MAC address, and various other data,” Checkpoint said in a report shared with Cyber Security News.
It is noteworthy to note that in earlier SysJoker activities, the malware was also capable of downloading and running remote files from an archive, as well as executing operator-dictated commands. The Rust version lacks this capability.
Windows SysJoker Variants
Researchers have found two more SysJoker samples that had previously not been made public. Possibly due to the malware’s public discovery and examination, both of these samples have a marginally higher level of complexity than the Rust version.
A multi-stage execution flow comprising a downloader, an installer, and a separate payload DLL is present in one of these samples, which differs from the others.
This campaign takes advantage of dynamically configured infrastructure. The malware first establishes a connection with a OneDrive address and then decrypts the JSON containing the C2 address.
The C2 address is base64-encrypted and uses a hardcoded XOR key. This threat actor frequently uses cloud storage services.
According to researchers, the malware’s initial versions were written in C++. It indicates that the malware underwent a thorough rebuild and might perhaps serve as a foundation for future modifications and enhancements, as there is no simple way to translate that code to Rust.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.