Hamas-Linked SysJoker Backdoor: A Persistent Threat’s New Dangerous Facade

SysJoker Backdoor
Metadata of OneDrive file containing the encrypted C2 server.

Check Point Research is tracking the active development of SysJoker, a cross-platform backdoor that is believed to have been used by a Hamas-linked hacker group to attack Israel.

Among the key changes in SysJoker are a shift from C++ to the programming language Rust, which indicates a complete rewrite of the malware code while maintaining similar functionality. The attackers also switched to using OneDrive instead of Google Drive to store dynamic Command and Control (C2) server URLs.

Metadata of OneDrive file containing the encrypted C2 server. | Image: Check Point

One variant of SysJoker, written in Rust, was submitted to VirusTotal under the name php-cgi.exe. The malware uses random sleep intervals at different stages of execution, which may serve as an anti-analysis measure. SysJoker backdoor collects information about the infected system, including Windows version, username, MAC address, IP address, and other data. The collected information is sent to the C2 server.

Analysis of the new variants of SysJoker showed links to previously undisclosed samples of Operation Electric Powder, a series of targeted attacks against Israeli organizations from 2016 to 2017 that were indirectly linked to the Gaza Cybergang (Gaza Hackers Team, MoleRATs) hacker group, which is believed to be operating from Palestine.

We found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We were also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company,” researchers concluded.

In 2017, Palo Alto Networks discovered a malicious campaign by the Gaza Cybergang group that targeted government organizations. The attackers used two malware samples, the Downeks loader and the QuasarRAT remote access trojan, which are designed to attack users who speak Hebrew.