DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[1]

ID: S1033
Platforms: Windows
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 11 August 2022
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

DCSrv has created new services for persistence by modifying the Registry.[1]

Enterprise T1486 Data Encrypted for Impact

DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

DCSrv has masqueraded its service as a legitimate svchost.exe process.[1]

Enterprise T1112 Modify Registry

DCSrv has created Registry keys for persistence.[1]

Enterprise T1106 Native API

DCSrv has used various Windows API functions, including DeviceIoControl, as part of its encryption process.[1]

Enterprise T1027 Obfuscated Files or Information

DCSrv's configuration is encrypted.[1]

Enterprise T1529 System Shutdown/Reboot

DCSrv has a function to sleep for two hours before rebooting the system.[1]

Enterprise T1124 System Time Discovery

DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.[1]

Groups That Use This Software

ID Name References
G1009 Moses Staff