Introduction to the new SysJoker threat
In-depth analysis reveals evolutions and risks of SysJoker cross-platform malware
A new version of the SysJoker malware has been discovered. It now uses the Rust language to avoid detection and may be linked to hackers associated with Hamas, according to Check Point.
An advanced version of the SysJoker malware, known for its ability to infiltrate operating systems as diverse as Windows, Linux and macOS, was recently discovered. This cyber threat, which previously evaded antivirus detection systems, has been redefined by adopting the Rust programming language, known for its security and performance. SysJoker's salient feature is its payload running entirely in memory and its ability to maintain a low profile through the use of native operating system commands.
Links between the new SysJoker and previous attacks
Cyber security researchers at Check Point, analyzing the new SysJoker variant, found similarities with "Operation Electric Powder", a series of cyberattacks that began in 2016 against Israeli targets, allegedly orchestrated by a Hamas-linked group known as "Gaza Cybergang". SysJoker's move to the Rust language was first identified on October 12, 2023, amid growing tension between Israel and Hamas, suggesting a potential escalation of cyber-offensive tactics.
Features and operations of the Rust variant of SysJoker
The new SysJoker variant stands out for its use of random wait intervals and its custom encryption that makes code analysis and detection more difficult. Since its launch, the malware integrates itself into the system to ensure persistence through changes in the system registry and uses PowerShell. Subsequent iterations serve to establish communication with the command and control server (C2), whose address is retrieved via a OneDrive URL. SysJoker's primary purpose is to load additional payloads onto the compromised system, driven by JSON-encoded commands.
Possible links to Gaza Cybergang and associated risks
While this SysJoker variant shows differences, most notably a lack of the command execution capability present in previous versions, Check Point researchers have identified a possible link to the "Gaza Cybergang" through the use of the "StdRegProv" WMI class in PowerShell commands for persistence. This technique has been found to be consistent with past attacks, particularly against the Israel Electric Company. Despite this, the definitive attribution of SysJoker to the 'Gaza Cybergang' cannot be confirmed with certainty based on currently available data.
Follow us on Twitter for more pills like this11/27/2023 16:57
Marco Verro