1. Home
  2. Groups
  3. Moses Staff

Moses Staff

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]

Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]

ID: G1009
Associated Groups: DEV-0500, Marigold Sandstorm
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 2.0
Created: 11 August 2022
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description
DEV-0500

[3]
Marigold Sandstorm

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1190 利用公开应用程序漏洞

Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.[1]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.[1]
Enterprise T1587 .001 开发能力: Malware

Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.[1]
Enterprise T1505 .003 服务器软件组件: Web Shell

Moses Staff has dropped a web shell onto a compromised system.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Moses Staff has used obfuscated web shells in their operations.[1]
Enterprise T1082 系统信息发现

Moses Staff collected information about the infected host, including the machine names and OS architecture.[1]
Enterprise T1016 系统网络配置发现

Moses Staff has collected the domain name of a compromised network.[1]
Enterprise T1588 .002 获取能力: Tool

Moses Staff has used the commercial tool DiskCryptor.[1]
Enterprise T1087 .001 账号发现: Local Account

Moses Staff has collected the administrator username from a compromised host.[1]
Enterprise T1105 输入工具传输

Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.[1]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Moses Staff has used batch scripts that can enable SMB on a compromised host.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.[1]

Software

ID Name References Techniques
S1033 DCSrv [1] 伪装: Masquerade Task or Service, 修改注册表, 创建或修改系统进程: Windows Service, 数据加密以实现影响, 本机API, 混淆文件或信息: Encrypted/Encoded File, 系统关机/重启, 系统时间发现
S0029 PsExec [1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S1032 PyDCrypt [1] Windows管理规范, 伪装: Match Legitimate Name or Location, 反混淆/解码文件或信息, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 妨碍防御: Disable or Modify System Firewall, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统所有者/用户发现, 系统网络连接发现
S1034 StrifeWater [2] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 文件和目录发现, 本机API, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 通过C2信道渗出, 预定任务/作业

References

  1. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  2. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.