Connect with us

Hi, what are you looking for?


Malware & Threats

Newly Detected “StrifeWater” RAT Linked to Iranian APT

The Iranian threat group known as Moses Staff was first spotted in October 2021. It claims its purpose is to harm Israeli companies by leaking sensitive stolen data, but it has also been seen targeting a variety of industries in countries such as Italy, India, Germany, Chile, Turkey, UAE and the U.S.

The Iranian threat group known as Moses Staff was first spotted in October 2021. It claims its purpose is to harm Israeli companies by leaking sensitive stolen data, but it has also been seen targeting a variety of industries in countries such as Italy, India, Germany, Chile, Turkey, UAE and the U.S.

The Cybereason Nocturnus Team has detected a previously unidentified RAT used by MosesStaff. It calls this RAT ‘StrifeWater’. In its report on the RAT, Cybereason notes it is primarily used in the early stages of an attack. It is a stealthy RAT able to remove itself from the system, presumably to help cover the attackers’ tracks. This probably explains why the RAT was hitherto unidentified.

Moses Staff normally infiltrates a target, exfiltrates sensitive data and then deploys ransomware. The purpose of the ransomware appears not to be financial extortion, but a method of disrupting the target’s business operations while further covering the attackers’ tracks – it is more political than financial. This implies, but doesn’t by itself confirm, that MosesStaff is an Iranian state-sponsored group.

A typical attack would be to use PyDCrypt malware to spread to other computers on the network and drop the DCSrv payload. This is a ransomware variant based on the publicly available tool DiskCryptor. A new sample of PyDCypt is built for each targeted organization, with hard coded parameters. This implies that it is deployed at a late stage in the attack, after a successful reconnaissance phase.

StrifeWater is thought to establish persistence and conduct the reconnaissance phase. The attack copies the genuine Windows Calc.Exe to the folder containing the Moses Staff payloads, and then installs StrifeWater as Calc.Exe. When StrifeWater is no longer required, it is deleted and the original Calc.Exe returned. This, suggest the researchers, “was done in an attempt to cover the attackers’ tracks and thwart forensic analysis efforts.”

The researchers believe that the StrifeWater RAT is what is used to establish a foothold and conduct the reconnaissance necessary to deliver the ransomware to the required destinations. Its primary capabilities include listing system files, executing shell commands, taking screen captures, creating persistence through a scheduled task, and downloading updates and auxiliary modules – and self-deletion.

“Our research shows that the MosesStaff modus operandi includes attempts to masquerade its arsenal as legitimate Windows software along with the removal of their initial persistence and reconnaissance tools,” write the researchers. “This tactic helps to prevent investigators from discovering the full flow of the attack and thus the StrifeWater RAT remained undetected.”

Advertisement. Scroll to continue reading.

Such campaigns, adds Cybereason co-founder and CEO Lior Div, “highlight the blurred line between nation-state and cybercrime threat actors, where ransomware gangs are more often employing APT-like tactics to infiltrate as much of a targeted network as possible without being detected, and APTs leveraging cybercrime tools like ransomware to distract, destroy and ultimately cover their tracks. For Defenders, there is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations.”

Cybereason also released a research report on a new PowerShell backdoor being used by the Iranian APT known as Phosphorus.

Cybereason, headquartered in Boston, was founded in 2012 by Lior Div (CEO), Yonatan Amit (CTO), and Yossi Naar (CVO). It raised $275 million in a Series F funding round in July 2021, followed by a further $50 million in October 2021, taking the total raised to $713.6 million.

Related: Cybereason Partners With Google Chronicle on XDR Product

Related: Iran-linked MalKamak Hackers Targeting Aerospace, Telcos With ShellClient RAT

Related: DeadRinger: A Three-Pronged Attack by Chinese Military Actors Against Telcos

Related: Unknown Chinese APT Targets Russian Defense Sector

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.