Moses Staff

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]

Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]

ID: G1009
Associated Groups: DEV-0500, Marigold Sandstorm
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 2.0
Created: 11 August 2022
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description


Marigold Sandstorm


Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Moses Staff has collected the administrator username from a compromised host.[1]

Enterprise T1587 .001 Develop Capabilities: Malware

Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.[1]

Enterprise T1190 Exploit Public-Facing Application

Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.[1]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.[1]

Enterprise T1105 Ingress Tool Transfer

Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Moses Staff has used obfuscated web shells in their operations.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Moses Staff has used the commercial tool DiskCryptor.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Moses Staff has used batch scripts that can enable SMB on a compromised host.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Moses Staff has dropped a web shell onto a compromised system.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.[1]

Enterprise T1082 System Information Discovery

Moses Staff collected information about the infected host, including the machine names and OS architecture.[1]

Enterprise T1016 System Network Configuration Discovery

Moses Staff has collected the domain name of a compromised network.[1]