Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region.
"Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities," Check Point said in a Wednesday analysis. "In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs."
SysJoker was publicly documented by Intezer in January 2022, describing it as a C++ backdoor capable of gathering system information and establishing contact with an attacker-controlled server by accessing a text file hosted on Google Drive that contains a hard-coded URL.
"Being cross-platform allows the malware authors to gain advantage of wide infection on all major platforms," VMware said last year. "SysJoker has the ability to execute commands remotely as well as download and execute new malware on victim machines."
The discovery of a Rust variant of SysJoker points to an evolution of the cross-platform threat, with the implant employing random sleep intervals at various stages of its execution, likely in an effort to evade sandboxes.
One noteworthy shift is the use of OneDrive to retrieve the encrypted and encoded C2 server address, which is subsequently parsed to extract the IP address and port to be used.
"Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services," Check Point said. "This behavior remains consistent across different versions of SysJoker."
After establishing connections with the server, the artifact awaits further additional payloads that are then executed on the compromised host.
The cybersecurity company said it also discovered two never-before-seen SysJoker samples designed for Windows that are significantly more complex, one of which utilizing a multi-stage execution process to launch the malware.
SysJoker has not yet been formally attributed to any threat actor or group. But newly gathered evidence shows overlaps between the backdoor and malware samples used in connection with Operation Electric Powder, which refers to a targeted campaign against Israeli organizations between April 2016 and February 2017.
This activity was linked by McAfee to a Hamas-affiliated threat actor known as Molerats (aka Extreme Jackal, Gaza Cyber Gang, and TA402).
"Both campaigns used API-themed URLs and implemented script commands in a similar fashion," Check Point noted, raising the possibility that "the same actor is responsible for both attacks, despite the large time gap between the operations."
SysJoker Linked to New WildCard Group
Intezer, in a new analysis published on November 27, 2023, attributed SysJoker and its Rust variant – which it codenamed RustDown – to a previously unknown hacking group called WildCard, noting that the attacks likely leverage phishing campaigns to convince victims to download trojanized versions of legitimate software.
It also characterized the threat actor as an advanced persistent threat (APT) consistently targeting Israeli critical sectors like education, IT infrastructure, and possibly electric power generation at least since 2021, due to tactical overlaps with prior campaigns.
"The original version of SysJoker was used to target Windows, macOS, and Linux machines, the migration to Rust might be an attempt to simplify multi-platform targeting in addition to making it harder to analyze," Intezer researcher Nicole Fishbein said.
(The story was updated after publication to include additional information from Intezer.)
