The sensational backdoor returns with new methods of cyber warfare.
The Check Point Research team is monitoring the active development of SysJoker, a cross-platform backdoor that is believed to have been used by a Hamas-linked hacker group to attack Israel.
Among the key changes in SysJoker is the transition from C++ to the Rust programming language, which indicates a complete rewrite of the malware code, while maintaining similar functionality. The attackers also switched to using OneDrive instead of Google Drive to store dynamic URLs of the Command and Control server (C2).
One of the variants of SysJoker, written in Rust, was introduced in VirusTotal under the name php-cgi.exe. Malware uses random sleep intervals at different stages of execution, which can serve as an anti-analysis measure. SysJoker collects information about the infected system –Windows version, user name, MAC address, IP address, and other data. The collected information is sent to the C2 server.
Analysis of the new SysJoker variants revealed a link to previously undisclosed samples of Operation Electric Powder, a series of targeted attacks on Israeli organizations between 2016 and 2017 that were indirectly linked to the Gaza Cybergang (Gaza Hackers Team, MoleRATs) hacker group allegedly operating out of Palestine.
In 2017, the company Palo Alto discovered a malicious campaign of the group Gaza Cybergang, directed against government organizations. The attackers used two pieces of malware-the Downeks downloader and the QuasarRAT Remote Access Trojan (RAT) - which are designed to attack users who speak Hebrew.
The Check Point Research team is monitoring the active development of SysJoker, a cross-platform backdoor that is believed to have been used by a Hamas-linked hacker group to attack Israel.
Among the key changes in SysJoker is the transition from C++ to the Rust programming language, which indicates a complete rewrite of the malware code, while maintaining similar functionality. The attackers also switched to using OneDrive instead of Google Drive to store dynamic URLs of the Command and Control server (C2).
One of the variants of SysJoker, written in Rust, was introduced in VirusTotal under the name php-cgi.exe. Malware uses random sleep intervals at different stages of execution, which can serve as an anti-analysis measure. SysJoker collects information about the infected system –Windows version, user name, MAC address, IP address, and other data. The collected information is sent to the C2 server.
Analysis of the new SysJoker variants revealed a link to previously undisclosed samples of Operation Electric Powder, a series of targeted attacks on Israeli organizations between 2016 and 2017 that were indirectly linked to the Gaza Cybergang (Gaza Hackers Team, MoleRATs) hacker group allegedly operating out of Palestine.
In 2017, the company Palo Alto discovered a malicious campaign of the group Gaza Cybergang, directed against government organizations. The attackers used two pieces of malware-the Downeks downloader and the QuasarRAT Remote Access Trojan (RAT) - which are designed to attack users who speak Hebrew.
