DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
DCSrv has masqueraded its service as a legitimate svchost.exe process.[1] |
| Enterprise | T1112 | 修改注册表 | ||
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
DCSrv has created new services for persistence by modifying the Registry.[1] |
| Enterprise | T1486 | 数据加密以实现影响 |
DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.[1] |
|
| Enterprise | T1106 | 本机API |
DCSrv has used various Windows API functions, including |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| Enterprise | T1529 | 系统关机/重启 |
DCSrv has a function to sleep for two hours before rebooting the system.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1009 | Moses Staff |