Iranian APT group uses previously undocumented Trojan for destructive access to organisations

Iranian APT group uses previously undocumented Trojan for destructive access to organisations

The Moses Staff group's main target is Israel, but has recently launched attacks on organisations in other countries including India, Germany and the U.S.

Credit: Dreamstime

Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organisations in Israel but also other countries since last year with the intention of damaging their infrastructure.

The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain.

Who is Moses Staff?

Moses Staff's malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting businesses in Israel. Over the past two years there have been several groups targeting organisations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political.

The group has openly stated that its goal is to damage Israeli organisations by leaking their data and damaging their operations with no ransom demands. However, since then it has also targeted companies with operations in Italy, India, Germany, Chile, Turkey, UAE and the U.S.

"Analysis of the group’s conduct and operations suggests that Moses Staff leverages cyber espionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear," researchers from Cybereason said in a blog post.

The group gains access to organisations by exploiting known vulnerabilities in publicly facing servers such as Microsoft Exchange and then performs lateral movement by using system administration tools like PsExec, the Windows Management Instrumentation command-line (WMIC) and PowerShell. This is similar to how most APT and ransomware groups operate.

Some of the group's custom malware tools that have been documented called PyDCrypt and DCSrv. The first is a Python-based malware loader whose goal is to execute DCSrv, which is a variant of the publicly available malware tool DiskCryptor. 

Each victim receives a custom version of PyDCrypt with hardcoded admin credentials, local domain and a list of machines to infect. This suggests before reaching the PyDCrypt deployment stage, the group had performed sufficient reconnaissance efforts inside a victim's network to map out the target environment.

The StrifeWater transient Trojan

While not a lot was known about the reconnaissance stage, researchers from Cybereason now think they found the missing link: a remote access Trojan (RAT) that the Moses Staff attackers deploy but later remove in later stages of the attack.

Dubbed StrifeWater, the Trojan is deployed with the name calc.exe, which is why some infected systems are later found without the Windows Calculator tool, also named calc.exe and possibly removed during the group's cleanup routine. 

StrifeWater's built-in functionality includes listing system files, executing shell commands, taking screen captures, achieving persistence via a scheduled task and downloading auxiliary modules that might extend its capabilities.

The Trojan uses a hard coded IP address and URl for communication with a command-and-control server but was also observed communicating with a hard-coded domain name. When first deployed, it collects information about the machine name, the local account, OS version, CPU architecture, time zone and user privileges.

"The StrifeWater RAT is suspected to be one of the main tools that are used to create a foothold in victim environments and appears to only be used in the earlier stages of the attack," the Cybereason researchers said.

"Our analysis suggests that the Moses Staff operators make conscious efforts to stay under the radar and avoid detection until the last phase of the attack when they deploy and execute their ransomware payload. Furthermore, our research shows that the Moses Staff modus operandi includes attempts to masquerade its arsenal as legitimate Windows software along with the removal of their initial persistence and reconnaissance tools."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cyber security



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments