Check Point researchers observed a Hamas-linked APT group is using the SysJoker backdoor against Israeli entities.
Initially, during 2021, researchers discovered the SysJoker backdoor, which is able to infect Windows, macOS, and Linux systems
The version employed in the attacks against Israel is written in Rust language. The experts noticed that the malicious code supports the same functionalities as past variants. The threat actor switched from Google Drive to OneDrive to store dynamic C2 URLs.
“Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services. This behavior remains consistent across different versions of SysJoker.”
The backdoor collects information about the infected system. The collected data is sent to the /api/attach API endpoint on the C2 server.
Once registered with the C2 server, the sample initiates the main C2 loop. It sends a POST request with the unique token to the /api/req endpoint, receiving a JSON response from the C2 server.
In turn, the server responds with a JSON containing a field named “data,” which holds an array of actions for the sample to execute.
Researchers find similarities with the Operation Electric Powder campaign, which targeted Israel in 2016-2017. This campaign was attributed to Gaza Cybergang, a threat actor that is believed to be linked to the Palestinian organization Hamas.
Check Point also discovered two previously undetected additional SysJoker samples that are more complex than the Rust version.
“The earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.”
Indicators of Compromise
- 85.31.231[.]49
- sharing-u-file[.]com
- filestorage-short[.]org
- audiosound-visual[.]com
- 62.108.40[.]129
- d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72
- 6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95
- e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836
- 96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f
- 67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706
- 0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba
