In recent cybersecurity findings, researchers have exposed a Rust variant of the cross-platform backdoor SysJoker, employed by a threat actor linked to Hamas in their cyber warfare against Israel. The evolution of SysJoker is marked by a complete code rewrite in Rust, suggesting enhanced functionalities, and a strategic shift from Google Drive to OneDrive for the storage of dynamic command and control server URLs.
Notably, this adaptation includes random sleep intervals and dynamic C2 address changes, underscoring the malware’s resilience and the threat actor’s agility in evading detection. The use of OneDrive allows attackers to easily alter the C2 address, providing a strategic advantage against reputation-based services.
SysJoker, initially documented by Intezer in January 2022, operates as a cross-platform backdoor capable of gathering system information and establishing contact with an attacker-controlled server. This flexibility allows for widespread infections across major platforms, granting the malware the ability to execute commands remotely and download and execute new malware on victim machines.
The discovery of a Rust variant indicates a significant evolution in the cross-platform threat landscape, with the malware utilizing advanced techniques, such as random sleep intervals, to avoid detection by sandboxes.
Despite SysJoker not being formally attributed to any specific threat actor or group, evidence points to potential connections between the backdoor and malware used in Operation Electric Powder, a targeted campaign against Israeli organizations between 2016 and 2017.
This campaign was previously linked to a Hamas-affiliated threat actor known as Molerats, suggesting a possible continuity in cyber operations over a significant time gap. The similarity in tactics, including the use of API-themed URLs and script commands, raises the intriguing possibility that the same threat actor is responsible for both attacks, showcasing a persistent and adaptable cyber threat.
