Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region.
SysJoker was publicly documented by Intezer in January 2022, describing it as a backdoor capable of gathering system information and establishing contact with an attacker-controlled server by accessing a text file hosted on Google Drive that contains a hard-coded URL.
“Being cross-platform allows the malware authors to gain advantage of wide infection on all major platforms,” VMware said last year. “SysJoker has the ability to execute commands remotely as well as download and execute new malware on victim machines.”
The cybersecurity company said it also discovered two never-before-seen SysJoker samples designed for Windows that are significantly more complex, one of which utilizing a multi-stage execution process to launch the malware.
SysJoker has not yet been formally attributed to any threat actor or group. But newly gathered evidence shows overlaps between the backdoor and malware samples used in connection with Operation Electric Powder, which refers to a targeted campaign against Israeli organizations between April 2016 and February 2017.
This activity was linked by McAfee to a Hamas-affiliated threat actor known as Molerats (aka Extreme Jackal, Gaza Cyber Gang, and TA402).
“Both campaigns used API-themed URLs and implemented script commands in a similar fashion,” Check Point noted, raising the possibility that “the same actor is responsible for both attacks, despite the large time gap between the operations.”
Source: https://thehackernews.com/
