Home Cyber Security Hamas-Linked Cyberattacks Utilizing Rust-Powered SysJoker Backdoor In opposition to Israel

Hamas-Linked Cyberattacks Utilizing Rust-Powered SysJoker Backdoor In opposition to Israel

Hamas-Linked Cyberattacks Utilizing Rust-Powered SysJoker Backdoor In opposition to Israel


Nov 24, 2023NewsroomCyber Assault / Malware

Hamas-Linked Cyberattacks

Cybersecurity researchers have make clear a Rust model of a cross-platform backdoor known as SysJoker, which is assessed to have been utilized by a Hamas-affiliated menace actor to focus on Israel amid the continued warfare within the area.

“Among the many most distinguished modifications is the shift to Rust language, which signifies the malware code was fully rewritten, whereas nonetheless sustaining comparable functionalities,” Verify Level stated in a Wednesday evaluation. “As well as, the menace actor moved to utilizing OneDrive as an alternative of Google Drive to retailer dynamic C2 (command-and-control server) URLs.”

SysJoker was publicly documented by Intezer in January 2022, describing it as a backdoor able to gathering system data and establishing contact with an attacker-controlled server by accessing a textual content file hosted on Google Drive that comprises a hard-coded URL.


“Being cross-platform permits the malware authors to achieve benefit of broad an infection on all main platforms,” VMware stated final 12 months. “SysJoker has the flexibility to execute instructions remotely in addition to obtain and execute new malware on sufferer machines.”

The invention of a Rust variant of SysJoker factors to an evolution of the cross-platform menace, with the implant using random sleep intervals at varied levels of its execution, probably in an effort to evade sandboxes.

One noteworthy shift is the usage of OneDrive to retrieve the encrypted and encoded C2 server deal with, which is subsequently parsed to extract the IP deal with and port for use.

“Utilizing OneDrive permits the attackers to simply change the C2 deal with, which allows them to remain forward of various reputation-based providers,” Verify Level stated. “This conduct stays constant throughout completely different variations of SysJoker.”

After establishing connections with the server, the artifact awaits additional extra payloads which can be then executed on the compromised host.

The cybersecurity firm stated it additionally found two never-before-seen SysJoker samples designed for Home windows which can be considerably extra advanced, certainly one of which using a multi-stage execution course of to launch the malware.


SysJoker has not but been formally attributed to any menace actor or group. However newly gathered proof reveals overlaps between the backdoor and malware samples utilized in reference to Operation Electrical Powder, which refers to a focused marketing campaign towards Israeli organizations between April 2016 and February 2017.

This exercise was linked by McAfee to a Hamas-affiliated menace actor generally known as Molerats (aka Excessive Jackal, Gaza Cyber Gang, and TA402).

“Each campaigns used API-themed URLs and applied script instructions similarly,” Verify Level famous, elevating the chance that “the identical actor is chargeable for each assaults, regardless of the massive time hole between the operations.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.


Supply hyperlink


Please enter your comment!
Please enter your name here