The Moses Staff group's main target is Israel, but has recently launched attacks on organizations in other countries including India, Germany and the U.S. Credit: v-graphix / Getty Images Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organizations in Israel but also other countries since last year with the intention of damaging their infrastructure.The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain.Who is Moses Staff? Moses Staff’s malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting organizations in Israel. Over the past two years there have been several groups targeting organizations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political.The group has openly stated that its goal is to damage Israeli organizations by leaking their data and damaging their operations with no ransom demands. However, since then it has also targeted companies with operations in Italy, India, Germany, Chile, Turkey, UAE and the U.S. “Analysis of the group’s conduct and operations suggests that Moses Staff leverages cyber espionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear,” researchers from Cybereason said in a blog post.The group gains access to organizations by exploiting known vulnerabilities in publicly facing servers such as Microsoft Exchange and then performs lateral movement by using system administration tools like PsExec, the Windows Management Instrumentation command-line (WMIC) and PowerShell. This is similar to how most APT and ransomware groups operate. Some of the group’s custom malware tools that have been documented called PyDCrypt and DCSrv. The first is a Python-based malware loader whose goal is to execute DCSrv, which is a variant of the publicly available malware tool DiskCryptor. Each victim receives a custom version of PyDCrypt with hardcoded admin credentials, local domain and a list of machines to infect. This suggests before reaching the PyDCrypt deployment stage, the group had performed sufficient reconnaissance efforts inside a victim’s network to map out the target environment.The StrifeWater transient TrojanWhile not a lot was known about the reconnaissance stage, researchers from Cybereason now think they found the missing link: a remote access Trojan (RAT) that the Moses Staff attackers deploy but later remove in later stages of the attack.Dubbed StrifeWater, the Trojan is deployed with the name calc.exe, which is why some infected systems are later found without the Windows Calculator tool, also named calc.exe and possibly removed during the group’s cleanup routine. StrifeWater’s built-in functionality includes listing system files, executing shell commands, taking screen captures, achieving persistence via a scheduled task and downloading auxiliary modules that might extend its capabilities.The Trojan uses a hard coded IP address and URl for communication with a command-and-control server but was also observed communicating with a hard-coded domain name. When first deployed, it collects information about the machine name, the local account, OS version, CPU architecture, time zone and user privileges.“The StrifeWater RAT is suspected to be one of the main tools that are used to create a foothold in victim environments and appears to only be used in the earlier stages of the attack,” the Cybereason researchers said. “Our analysis suggests that the Moses Staff operators make conscious efforts to stay under the radar and avoid detection until the last phase of the attack when they deploy and execute their ransomware payload. Furthermore, our research shows that the Moses Staff modus operandi includes attempts to masquerade its arsenal as legitimate Windows software along with the removal of their initial persistence and reconnaissance tools.” Related content news FBI probes into Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe