APT Hackers Behind SysJoker Attacking Critical Industrial Sectors

SysJoker malware changed into as soon as within the origin stumbled on to be worn by the APT community dubbed “WildCard” and centered Israel’s academic sector. However, the operations of this APT risk actor admire expanded to encompass extra malware variants, with one amongst them stumbled on to be written in Rust programming language.

This unique rust malware has been coined “Rustdown” by the malware developers. To boot to this, the risk actor has also shifted their focal level to crucial sectors interior Israel, love education, IT infrastructure, and electrical energy generation.

Technical Prognosis

Two unique malware variants had been stumbled on, which admire evolved from the SysJoker malware. These variants had been named DMADevice.exe and AppMessagingRegistrar.exe and had been written in C++.

There had been three samples of malware variants stumbled on in two of them DMADevice.exe and AppMessagingRegistrar.exe.

DMADevice

In step with the samples analyzed, this malware had a code same to SysJoker. Furthermore, one unfamiliar string changed into as soon as identified to be precisely the identical within the SysJoker malware.

It changed into as soon as the customized alphabet “0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghilmnopqrstuvmxyz” that changed into as soon as characterize within the code of each and every SysJoker and the DMA instrument malware variants. This string misses two characters, “jk”, the identical on each and every samples.

AppMessagingRegistrar

This variant changed into as soon as identified to be compiled after the DMAdevice variant and likewise shares the identical code as SysJoker. However, there are diverse capabilities, XOR keys, and URL paths on this malware. The URL paths worn by this malware are,

• api/update
• /api/register
• /api/library
• /api/requests

This malware is downloaded from a ZIP file and executed by a DLL file masquerading as Plucky browser.  Furthermore, the utilization of Gdrive and OneDrive changed into as soon as an identical on each and every DMAdevice and AppMessagingRegistrar variants of SysJoker malware.

RustDown: The unique variant

As of October 2023, the APT community has been stumbled on to be relying on a particular malware written in Rust, which changed into as soon as a 32-bit Dwelling windows executable that disguised itself as a PHP framework component.

The codebase of this malware changed into as soon as unique however shared the identical Ways, Ways, and Procedures of the WildCard APT community.

This malware implements a couple of calls to the Sleep API with random time periods which changed into as soon as same to the SysJoker malware. Furthermore, it also copies the executable to any other discipline the utilization of PowerShell for persistence.

A full document about these unique variants of SysJoker malware and the WildCard APT community has been printed, which affords detailed files about the TTP, provide code, hash values, and diverse files.

Indicators of Compromise

Rustdown

d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72

DMAdevice (SysJoker Might perchance well 2022 Variant)

e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836
6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95

AppMessagingRegistrar (SysJoker June 2022 Variant)

67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706

SysJoker Downloader

96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f

Useless Drop Resolver URL

• https://onedrive.are residing[.]com/win?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ (RustDown)
• https://onedrive.are residing[.]com/win?cid=F6A7DCE38A4B8570&resid=F6A7DCE38A4B8570%21115&authkey=AKcf8zLcDneJZHw (DMAdevice.exe)
• https://onedrive[.]are residing.com/win?cid=3014636895E3FE3B&resid=3014636895E3FE3B%21106&authkey=AD4OGrVz9h17Jzo (AppMessagingRegistrar.exe)

C2

• 85.31.231[.]49:443 (Rustdown)
• sharing-u-file[.]com (DMAdevice.exe)
• audiosound-visible[.]com (AppMessagingRegistrar.exe)filestorage-brief[.]org (SysJoker Downloader)