Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organizations in Israel but also other countries since last year with the intention of damaging their infrastructure.
The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain.
Who is Moses Staff?
Moses Staff’s malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting organizations in Israel. Over the past two years there have been several groups targeting organizations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political.
The group has openly stated that its goal is to damage Israeli organizations by leaking their data and damaging their operations with no ransom demands. However, since then it has also targeted companies with operations in Italy, India, Germany, Chile, Turkey, UAE and the U.S.
“Analysis of the group’s conduct and operations suggests that Moses Staff leverages cyber espionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear,” researchers from Cybereason said in a blog post.
The group gains access to organizations by exploiting known vulnerabilities in publicly facing servers such as Microsoft Exchange and then performs lateral movement by using system administration tools like PsExec, the Windows Management Instrumentation command-line (WMIC) and PowerShell. This is similar to how most APT and ransomware groups operate.
Some of the group’s custom malware tools that have been documented called PyDCrypt and DCSrv. The first is a Python-based malware loader whose goal is to execute DCSrv, which is a variant of the publicly available malware tool DiskCryptor. Each victim receives a custom version of PyDCrypt with hardcoded admin credentials, local domain and a list of machines to infect. This suggests before reaching the PyDCrypt deployment stage, the group had performed sufficient reconnaissance efforts inside a victim’s network to map out the target environment.
The StrifeWater transient Trojan
While not a lot was known about the reconnaissance stage, researchers from Cybereason now think they found the missing link: a remote access Trojan (RAT) that the Moses Staff attackers deploy but later remove in later stages of the attack.
Dubbed StrifeWater, the Trojan is deployed with the name calc.exe, which is why some infected systems are later found without the Windows Calculator tool, also named calc.exe and possibly removed during the group’s cleanup routine. StrifeWater’s built-in functionality includes listing system files, executing shell commands, taking screen captures, achieving persistence via a scheduled task and downloading auxiliary modules that might extend its capabilities.
The Trojan uses a hard coded IP address and URl for communication with a command-and-control server but was also observed communicating with a hard-coded domain name. When first deployed, it collects information about the machine name, the local account, OS version, CPU architecture, time zone and user privileges.
“The StrifeWater RAT is suspected to be one of the main tools that are used to create a foothold in victim environments and appears to only be used in the earlier stages of the attack,” the Cybereason researchers said. “Our analysis suggests that the Moses Staff operators make conscious efforts to stay under the radar and avoid detection until the last phase of the attack when they deploy and execute their ransomware payload. Furthermore, our research shows that the Moses Staff modus operandi includes attempts to masquerade its arsenal as legitimate Windows software along with the removal of their initial persistence and reconnaissance tools.”