DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
DCSrv has created new services for persistence by modifying the Registry.[1] |
Enterprise | T1486 | Data Encrypted for Impact |
DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.[1] |
|
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
DCSrv has masqueraded its service as a legitimate svchost.exe process.[1] |
Enterprise | T1112 | Modify Registry | ||
Enterprise | T1106 | Native API |
DCSrv has used various Windows API functions, including |
|
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
Enterprise | T1529 | System Shutdown/Reboot |
DCSrv has a function to sleep for two hours before rebooting the system.[1] |
|
Enterprise | T1124 | System Time Discovery |
DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.[1] |
ID | Name | References |
---|---|---|
G1009 | Moses Staff |