The newly discovered version of SysJoker has been written in the Rust programming language, suggesting that it has been completely rewritten.
Researchers also noted that the new version was utilized in targeted attacks in 2023, similar in tactics and approach to known threat actors, such as the Gaza Cybergang.
SysJoker was first discovered by Intezer in January 2022, with researchers describing the malware as follows,
SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was initiated during the second half of 2021.
SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.
Taking a deeper dive into the newly discovered version written in Rust, researchers found that the malware employs random sleep intervals as well as complex custom encryption for code strings to evade detection and analysis.
On the first launch, it will perform a registry modification for persistence using PowerShell and exits. Upon later executions, it establishes communication with the command-and-control server. The address of the server is retrieved from a OneDrive URL.
SysJoker's primary role is to fetch and load additional payloads on the compromised system, directed via the reception of JSON-encoded commands. Malware that performs such a task is often referred to as backdoor malware, as it effectively creates an entrance, or "back door," to a compromised machine.
While the malware still collects system information like OS version, username, and MAC address, amongst other details, it lacks command execution capabilities. Such a capability has been seen in previous versions.
Researchers believe this might return later down the line. Alternatively, the backdoor's developers may have stripped the capability to make it lighter and stealthier.
It should be noted Check Point researchers discovered two more SysJoker samples they named 'DMADevice' and 'AppMessagingRegistrar' based on their specific characteristics, but state that they all follow similar operational patterns.
Links to Gaza Cybergang
When analyzing the new variant, researchers discovered that SysJocker's custom encryption of the main code strings was unique. The three encrypted strings are the OneDrive URL containing the final C2 address, the C2 address received from the request to OneDrive, and a PowerShell command used for persistence.
It is so unique that it has been seen only a few times before, namely in Operation Electric Powder. This campaign was summarized by Clear Sky, a security firm, as follows,
From April 2016 until at least February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names, and Facebook activity. We dubbed this campaign ‘Operation Electric Powder’.
This prompted further digging, resulting in new links being discovered that suggest the threat actor behind Operation Electric Powder and the deployment of the new Rust variant are the same.
Both campaigns used API-themed URLs and implemented script commands similarly. In a McAfee report, they attributed Operation Electric Powder to Gaza Cybergang. The threat actor is an Arabic-language, politically-motivated cybercriminal group operating since 2012, actively targeting the Middle East North Africa (MENA) region.
The Gaza Cybergang's attacks are a constant menace in the region, and its typical targets include government entities, embassies, oil and gas, journalists, activists, politicians, and diplomats.
Check Point believes there is sufficient evidence to link Gaza Cybergang to the new SysJoker variant. They concluded,
Although the SysJoker malware, which was first seen in 2021 and publicly described in 2022, wasn’t attributed to any known actor, we found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We were also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company…the earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.