PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
| .003 | Command and Scripting Interpreter: Windows Command Shell | |||
| .006 | Command and Scripting Interpreter: Python |
PyDCrypt, along with its functions, is written in Python.[1] |
||
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
PyDCrypt has decrypted and dropped the DCSrv payload to disk.[1] |
|
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
PyDCrypt will remove all created artifacts such as dropped executables.[1] |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
PyDCrypt has dropped DCSrv under the |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.[1] |
| Enterprise | T1049 | System Network Connections Discovery |
PyDCrypt has used netsh to find RPC connections on remote machines.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
PyDCrypt has probed victim machines with |
|
| Enterprise | T1047 | Windows Management Instrumentation | ||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1009 | Moses Staff |