Hamas-Linked APT Wields New SysJoker Backdoor Against Israel

Attackers linked to the Palestinian militant group Hamas are using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel as the current conflict between the two continues despite a current pause in the fighting. An advanced persistent threat group, believed to be Gaza Cybergang, is attacking Israel targets with a Rust-based version of SysJoker, an unattributed, multi-platform backdoor first discovered by Intezer in 2021, researchers from Check Point revealed in a blog post late last week. The latest variant maintains similar functionalities to the original malware, but has been completely rewritten from its original language C++ to the Rust programming language, signaling a significant evolution in the malware, the researchers noted. The APT also uses OneDrive instead of Google Drive, used in previous variants, to store dynamic command-and-control server URLs. "Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements," the researchers noted. The platform-agnostic Rust, first released eight years ago, is a programming language increasingly favored by organizations and hackers alike mainly because of its security features, making it harder to detect and reverse-engineer. New SysJoker in Play The Rust-based variant of SysJoker discovered by Check Point was submitted to VirusTotal on Oct. 12, having been compiled a few months earlier on Aug. 7. Researchers observed some notable evasive features, including the employment of "Random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures," according to the post. The variant has two modes of operation that appear aimed at differentiating the first execution from any subsequent ones based on persistence. The mode proceeds to one of two possible stages depending upon the malware's presence in a particular path, C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi. If the malware runs from persistence, it contacts a OneDrive URL hardcoded and encrypted inside the binary to retrieve the C2 server address. "Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services," according to the post. "This behavior remains consistent across different versions of SysJoker." If the sample runs from a different location - which would indicate that it's the first time the sample is executed - the malware copies itself to the path C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi. Exe and then runs itself from the newly created path using PowerShell. SysJoker then proceeds to collect information about the infected system, including the Windows version, username, MAC address, and various other data to send back to the C2. In addition to the newly found Rust variant, Check Point also uncovered two more new SysJoker samples that are slightly more complex. Links to Previous Attack Check Point also found a connection between the latest attacks using the Rust-based SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company attributed to Gaza Cybergang - despite the significant time gap between the operations. The Electric Powder Operation, revealed in a report by ClearSky, used phishing and fake Facebook pages to deliver both Windows and Android malware. Both campaigns used API-themed URLs and implemented script commands in a similar fashion, the researchers noted. There also are similarities between a PowerShell command used for persistence in the latest SysJoker attacks and the Electric Powder Operation, they said. The "Unique" PowerShell command is a string associated with custom encryption used by SysJoker alongside two other strings - the OneDrive URL containing the final C2 address and the C2 address received from the request to OneDrive, the researchers noted. "It is shared between multiple variants of SysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously reported by ClearSky," according to the post. Check Point included a list of indicators of compromise and hashes associated with the SysJoker attacks to help organizations identify if they have been targeted. Endpoint protection and threat emulation tools can also help secure and protect potential victims against compromise.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to Hamas-Linked APT Wields New SysJoker Backdoor Against Israel

Hamas-Linked APT Wields New SysJoker Backdoor Against Israel - Attackers linked to the Palestinian militant group Hamas are using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel as the current conflict between the two continues despite a current pause in the fighting. An ...
11 months ago Darkreading.com
The Dangerous Mystery of Hamas' Missing 'Suicide Drones' - Faced with the looming possibility that Hamas could leverage some of the same techniques, Israel began running drills, practicing with fighter jets to intercept UAVs. In February 2014, it announced a prototype of a new air defense system: The "Iron ...
11 months ago Wired.com
Israel Battles Spike in Wartime Hacktivist, OT Cyberattacks - For Israel, 2023 will be remembered as the beginning of the war in Gaza after the devastating Hamas terror attacks on Oct. 7. The conflict spread to the cyber realm, with hacktivists on both sides declaring their intentions to conduct cyberattacks. ...
10 months ago Darkreading.com
Iran Ramps Up Cyberattacks on Israel Amid Hamas Conflict: Microsoft - In the context of the Israel-Hamas conflict, Iran's offensive operations against Israel were initially reactive and chaotic, but quickly ramped up and expanded in scope, Microsoft says. Immediately after October 7, Iranian threat actors were seen ...
9 months ago Securityweek.com
Hamas Cyberattacks Ceased After the Oct. 7 Terror Attack. But Why? - Cyber threat actors linked with Hamas have seemingly ceased activity ever since the terrorist attack in Israel on Oct. 7, confounding experts. Russia's invasion of Ukraine - preceded and supported by historic waves of cyber destruction, espionage, ...
9 months ago Darkreading.com
Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs - Russia-sponsored advanced persistent threat group Turla is now targeting Polish NGOs in a cyberespionage campaign that uses a freshly developed backdoor with modular capabilities, signaling an expansion of the scope of its attacks against supporters ...
9 months ago Darkreading.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
8 months ago Securityboulevard.com
Iranian Phishing Campaign Targets Israel-Hamas War Experts - Iran-linked threat actors are targeting high-profile researchers working on the Israel-Hamas conflict via a sophisticated social engineering campaign, according to Microsoft Threat Intelligence. The threat actor Mint Sandstorm, which has ties to ...
10 months ago Infosecurity-magazine.com
What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
11 months ago Techtarget.com
Microsoft: Iranian hackers target researchers with new MediaPl malware - Microsoft says that a group of Iranian-backed state hackers are targeting high-profile employees of research organizations and universities across Europe and the United States in spearphishing attacks pushing new backdoor malware. The attackers, a ...
10 months ago Bleepingcomputer.com
Iran-Israel Cyber War Goes Global - Iran's cyber conflict with Israel has reached global proportions, with cyberattacks against businesses and government agencies on other continents causing arguably as much ruckus as those in Israel itself. While US military bases and international ...
9 months ago Darkreading.com
North Korea-linked APT Kimsuky targeted German defense firm Diehl Defence - North Korea-linked APT group Kimsuky has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems. “Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a ...
1 month ago Securityaffairs.com
Israel $3.2bn Grant For Intel's $25 Billion Chip Factory - Intel to make its largest ever single investment in Israel, with a $25 billion chip-making factory in the south of the country. Intel and the Israeli government have confirmed plans to construct a $25 billion chip-making factory in Southern Israel. ...
10 months ago Silicon.co.uk
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over - Prolific Iranian advanced persistent threat group OilRig has repeatedly targeted several Israeli organizations throughout 2022 in cyberattacks that were notable for leveraging a series of custom downloaders that use legitimate Microsoft cloud ...
11 months ago Darkreading.com
Cyberattacks Intensify on Israeli and Palestinian Human Rights Groups - Hackers have stepped up efforts to take down the websites of Israeli and Palestinian humanitarian groups since Hamas attacked Israel on Oct. 7.The spike in cyberattacks on Israeli human rights organization B'Tselem has reached levels similar to ...
11 months ago Wsj.com
Microsoft: Hackers target defense firms with new FalseFont malware - Microsoft says the APT33 Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack defense contractors worldwide. The DIB sector targeted in these attacks comprises over 100,000 defense companies and ...
11 months ago Bleepingcomputer.com
Congressmen Ask DOJ to Investigate Water Utility Hack, Warning It Could Happen Anywhere - Three members of Congress have asked the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting the nation's top cyberdefense agency to warn other water and sewage-treatment utilities that ...
11 months ago Securityweek.com
Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor - The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the ...
11 months ago Infosecurity-magazine.com
'Cyber Toufan' Hacktivists Leaked 100-Plus Israeli Orgs in One Month - Since mid-November, one Iran-linked hacktivist group has managed to breach more than 100 organizations in and around Israel, wiping servers, leaking sensitive data, and spreading follow-on attacks down the supply chain. Since October 7, anti-Israel ...
10 months ago Darkreading.com
Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets - A group of pro-Hamas attackers known as the Gaza Cybergang is using a new variation of the Pierogi++ backdoor malware to launch attacks on Palestinian and Israeli targets. According to research from Sentinel Labs, the backdoor is based on the C++ ...
11 months ago Darkreading.com
How Israel Is Defending Against Iran's Drone Attack - On Saturday, Iran launched more than 200 drones and cruise missiles at Israel. As the drones made their way across the Middle East en route to their target, Israel has invoked a number of defense systems to impede their progress. The Iron Dome, ...
7 months ago Wired.com
Ransomware Attacks Strike South Africa, Decline in UAE - Cybercrime - and especially ransomware - traditionally have had an uneven impact across the Middle East and Africa, yet recent data suggests that ongoing geopolitical conflicts will likely raise the overall level of cyberattacks across the regions. ...
11 months ago Darkreading.com
Iran-linked hackers claim to leak troves of documents from Israeli hospital - A hacker group allegedly linked to Iran claimed to have leaked thousands of medical records from an Israeli hospital, including those of Israeli soldiers. In a cyberattack on Ziv Medical Center in the city of Safed, near the border with Syria and ...
11 months ago Therecord.media
Russian Sandworm Group Using Novel Backdoor to Target Ukraine - Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers. The previously unreported backdoor, dubbed ...
7 months ago Infosecurity-magazine.com
The Hamas Threat of Hostage Execution Videos Looms Large Over Social Media - Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. While tracking verified content from Hamas' military wing or the PIJ, Hadey says the volume of content on the major social platforms is "Very ...
11 months ago Wired.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)