A new version of the multi-platform malware known as 'SysJoker' has been spotted, featuring a complete code rewrite in the Rust programming language.
SysJoker is a stealthy Windows, Linux, and macOS malware first documented by Intezer in early 2022, who discovered and analyzed C++ versions at the time.
The backdoor featured in-memory payload loading, a plethora of persistence mechanisms, "living off the land" commands, and a complete lack of detection for all its OS variants on VirusTotal.
Examination of the new Rust-based variants by Check Point has established a connection between the previously unattributed backdoor and 'Operation Electric Powder,' which dates back to 2016-2017.
This operation involved a series of cyber-attacks targeting Israel, believed to be orchestrated by a Hamas-affiliated threat actor known as 'Gaza Cybergang.'
New SysJoker
The Rust-based variant of SysJoker was first submitted to VirusTotal on October 12, 2023, coinciding with the escalation of the war between Israel and Hamas.
The malware employs random sleep intervals and complex custom encryption for code strings to evade detection and analysis.
On the first launch, it performs registry modification for persistence using PowerShell and exits. Upon later executions, it establishes communication with the C2 (command and control) server, the address for which it retrieves from a OneDrive URL.
SysJoker's primary role is to fetch and load additional payloads on the compromised system, directed via the reception of JSON-encoded commands.
While the malware still collects system information like OS version, username, MAC address, etc., and sends it to the C2, it lacks the command exe ..
Support the originator by clicking the read the rest link below.
