The Iranian threat group known as Moses Staff was first spotted in October 2021. It claims its purpose is to harm Israeli companies by leaking sensitive stolen data, but it has also been seen targeting a variety of industries in countries such as Italy, India, Germany, Chile, Turkey, UAE and the U.S.
The Cybereason Nocturnus Team has detected a previously unidentified RAT used by MosesStaff. It calls this RAT ‘StrifeWater’. In its report on the RAT, Cybereason notes it is primarily used in the early stages of an attack. It is a stealthy RAT able to remove itself from the system, presumably to help cover the attackers’ tracks. This probably explains why the RAT was hitherto unidentified.
Moses Staff normally infiltrates a target, exfiltrates sensitive data and then deploys ransomware. The purpose of the ransomware appears not to be financial extortion, but a method of disrupting the target’s business operations while further covering the attackers’ tracks – it is more political than financial. This implies, but doesn’t by itself confirm, that MosesStaff is an Iranian state-sponsored group.
A typical attack would be to use PyDCrypt malware to spread to other computers on the network and drop the DCSrv payload. This is a ransomware variant based on the publicly available tool DiskCryptor. A new sample of PyDCypt is built for each targeted organization, with hard coded parameters. This implies that it is deployed at a late stage in the attack, after a successful reconnaissance phase.
StrifeWater is thought to establish persistence and conduct the reconnaissance phase. The attack copies the genuine Windows Calc.Exe to the folder containing the Moses Staff payloads, and then installs StrifeWater as Calc.Exe. When StrifeWater is no longer required, it is deleted and the original Calc.Exe returned. This, suggest the researchers, “was done in an attempt to cover the attackers’ tracks and thwart forensic analysis efforts.”
The researchers believe that the StrifeWater RAT is what is used to establish a foothold and conduct the reconnaissance necessary to deliver the ransomware to the required destinations. Its primary capabilities include listing system files, executing shell commands, taking screen captures, creating persistence through a scheduled task, and downloading updates and auxiliary modules – and self-deletion.
“Our research shows that the MosesStaff modus operandi includes attempts to masquerade its arsenal as legitimate Windows software along with the removal of their initial persistence and reconnaissance tools,” write the researchers. “This tactic helps to prevent investigators from discovering the full flow of the attack and thus the StrifeWater RAT remained undetected.”
Such campaigns, adds Cybereason co-founder and CEO Lior Div, “highlight the blurred line between nation-state and cybercrime threat actors, where ransomware gangs are more often employing APT-like tactics to infiltrate as much of a targeted network as possible without being detected, and APTs leveraging cybercrime tools like ransomware to distract, destroy and ultimately cover their tracks. For Defenders, there is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations.”
Cybereason also released a research report on a new PowerShell backdoor being used by the Iranian APT known as Phosphorus.
Cybereason, headquartered in Boston, was founded in 2012 by Lior Div (CEO), Yonatan Amit (CTO), and Yossi Naar (CVO). It raised $275 million in a Series F funding round in July 2021, followed by a further $50 million in October 2021, taking the total raised to $713.6 million.
Related: Cybereason Partners With Google Chronicle on XDR Product
Related: Iran-linked MalKamak Hackers Targeting Aerospace, Telcos With ShellClient RAT
Related: DeadRinger: A Three-Pronged Attack by Chinese Military Actors Against Telcos