1. Home
  2. Groups
  3. Moses Staff

Moses Staff

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]

Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]

ID: G1009
Associated Groups: DEV-0500, Marigold Sandstorm
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 2.0
Created: 11 August 2022
Last Modified: 11 April 2024
Version Permalink

Associated Group Descriptions

Name Description
DEV-0500

[3]
Marigold Sandstorm

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Moses Staff has collected the administrator username from a compromised host.[1]
Enterprise T1587 .001 Develop Capabilities: Malware

Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.[1]
Enterprise T1190 Exploit Public-Facing Application

Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.[1]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.[1]
Enterprise T1105 Ingress Tool Transfer

Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Moses Staff has used obfuscated web shells in their operations.[1]
Enterprise T1588 .002 Obtain Capabilities: Tool

Moses Staff has used the commercial tool DiskCryptor.[1]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Moses Staff has used batch scripts that can enable SMB on a compromised host.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

Moses Staff has dropped a web shell onto a compromised system.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.[1]
Enterprise T1082 System Information Discovery

Moses Staff collected information about the infected host, including the machine names and OS architecture.[1]
Enterprise T1016 System Network Configuration Discovery

Moses Staff has collected the domain name of a compromised network.[1]

Software

ID Name References Techniques
S1033 DCSrv [1] Create or Modify System Process: Windows Service, Data Encrypted for Impact, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information: Encrypted/Encoded File, System Shutdown/Reboot, System Time Discovery
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S1032 PyDCrypt [1] Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, System Network Connections Discovery, System Owner/User Discovery, Windows Management Instrumentation
S1034 StrifeWater [2] Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Native API, Scheduled Task/Job, Screen Capture, System Information Discovery, System Owner/User Discovery, System Time Discovery, Virtualization/Sandbox Evasion: Time Based Evasion

References

  1. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  2. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.