APT Group Moses Staff Adds New Tools to Ransomware Operations

The Iranian hacker group Moses Staff has been active since October 2021. They claim that leaking sensitive and stolen data from Israeli companies has been their primary goal.

The group has also targeted organizations in India, Italy, Turkey, Germany, Chile, U.S and UAE. Various industries like those from the Government, Energy, Manufacturing, Finance, and Utilities were also their victims.

Researchers at Cybereason Noctornus conducted several investigations and found their main tools as “PyDcrypt” and “DCSrv”. Another interesting finding was one of the previously Unidentified RAT named Strifewater.

This RAT has additional abilities from other RAT’s such as covering tracks by removing itself from systems, command execution, screen capturing and downloading additional extensions.

EHA

Most ransomware attacks are leveraged on money. But Moses Staff is different from other ransomware actors. When they infiltrate an organization and steal sensitive data, they deploy ransomware and encrypt files for only two things, i) Disrupt critical business operations and ii) Erasing footprints

Since their operations only target cyber espionage and harm business operations, suspicions begin to rise on whether they are politically motivated. 

Key Findings

Novel Remote Access Trojan: The newly found Strifewater RAT is assessed as part in the arsenal of Moses Staff group. Especially the initial phase of infection is focused on this and later on other tools.

Various Functionality:  Downloading updates and auxiliary modules, listing files in the system, screen capture and command injection are other functionalities of Strifewater RAT.

Invisible: The reason why Strifewater RAT was not detected before was that it was removed before the deployment of ransomware.

State-Sponsored Ransomware: In an attempt to advance Iran’s geopolitical goals, the group adds post-exfiltration ransomware to disrupt operations, obfuscate espionage activities and others. But it was never out of financial motivation.

Worldwide Victims: India, Israel, Italy, Chile, Germany, UAE, Turkey, and US were some of the victims found to be affected by these Iranian hackers.

Strifewater

Though strifewater managed to stay off the radar for a period of time, Cybereason researchers found that Strifewater RAT was deployed under the name of calc.exe . This came to be identified when the analysis of PyDCrypt malware was found to be used by Moses Staff.

PyDCrypt

PyDCrypt was written in PyInstaller which dropped the payload DCSrv, a variant of ransomware that was based on the tool DiskCryptor. Interesting findings included that the Moses group created a new sample of PyDCrypt separately for each targeted organization.

The hard coded parameters in PyDCrypt included usernames, passwords, local domain addresses and even machine list. This gives the conclusion that PyDCrypt is deployed only after infiltrating the organization and gathering sufficient information to map out the environment.

The group often used C:\Users\Public folder for all the tool deployment. PyDCrypt was found to be coded in such a way that it copies the original Windows Calculator binary (calc.exe) from System32 folder to the tool deployment folder (C:\Users\Public\calc.exe) and then deletes it.

Cybereason researchers claim this deletion was an attempt to erase the footprints of the attackers and prevent forensic analysis. They also suspect that StrifeWater RAT was used to gain the initial Information Gathering about the target in order to code PyDCrypt according to the target’s environment.

The Strifewater has the “C:\Users\win8\Desktop\ishdar_win8\1\x64\Release\brokerhost.pdb” Program Database String. The malware contains an additional domain and URL that was observed to be in use. 

  • techzenspace(.)com
  • RVP/index3.php

A complete research was documented by Cybereason on the RAT’s working structure and communication.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.