SysJoker was originally written in C++, but the latest version uses the Rust programming language and has been used by hacker groups related to Hamas to target Israel.
Security industry Check Point Research recently discovered a new version of the cross-platform Trojan program SysJoker. It was originally written in C++, but the latest version uses the Rust programming language and has been used by hacker groups related to Hamas. to deal with Israel.
SysJoker first appeared in 2021. At that time, it was a cross-platform Trojan program that could be used to attack Windows, Linux, and macOS platforms. It disguised itself as a system update file and then decrypted files stored in Google Drive to generate C&C. According to the analysis of Intezer, the security company that exposed it at the time, SysJoker would constantly change its C&C server, which means that the hacker was very active and monitored the compromised devices. It is believed that it is looking for a specific target.
SysJoker's behavior is similar on different platforms. Intezer believes that the purpose of its attack is espionage, but it has the characteristics of lateral movement and may also lead to ransomware attacks.
The SysJoker discovered by Check Point Research was written in Rust, which means that the hacker completely rewrote SysJoker while maintaining similar functionality. In addition, the hacker switched to OneDrive instead of Google Drive to store dynamic C&C URLs.
On the other hand, the C++ version of SysJoker can not only download and execute remote programs from archived files, but also execute commands instructed by hackers. However, after the Rust version receives and executes the downloaded file, it will depend on the success or failure of the operation. Then contact the C&C server and there is no ability to directly execute the command.
Recent research suggests that the Rust version of SysJoker is related to the Operation Electric Powder hacking mission, which was an attack on the Israel Electric Company in 2016/2017. They both used API-themed URLs and executed scripted commands in a similar manner.
