Moses Staff Hacker Group Uses New StrifeWater RAT in Ransomware Attacks
Reading Time: 2 minutes

Moses Staff, a politically motivated hacker group uses the new StrifeWater RAT in ransomware attacks. The group has been linked to a series of espionage and sabotage attacks on Israeli entities in 2021. 

According to Cybereason, a cybersecurity firm, the operations of the Iranian actor known as Moses Staff, dubbed the malware “StrifeWater.”

Tom Fakterman, Cybereason security analyst, in a report said,”The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks. The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.”

Moses Staff Hacker Group operations surfaced at the end of last year when CheckPoint Research discovered a number of attacks aimed at Israeli organizations since September 2021. The objective behind them is to disrupt the target’s business operations by encrypting their networks, with no option to regain access or negotiate a ransom.

The hacker group relied on the open-source library DiskCryptor to perform volume encryption along with infecting the systems with a bootloader that prevents them from starting without the correct encryption key.

Moses Staff Hacker Group has targeted victims not only in Israel but other countries such as Italy, India, Germany, Chile, Turkey, the U.A.E., and the U.S.

Cybereason’s recent findings suggest the hacker group launches attacks using a RAT that’s deployed under the name “calc.exe” (the Windows Calculator binary). It is used during the early stages of the infection chain and is removed prior to the deployment of the file-encrypting malware.

According to the researchers, the removal and the subsequent replacement of the malicious calculator executable with the legitimate binary is an attempt on the part of the bad actors to cover up tracks and delete evidence of the trojan. Additionally, it also enables them to evade detection until the final phase of the attack when the ransomware payload is executed.

StrifeWater RAT is similar to its counterparts, as it also comes with a number of features such as the ability to list system files, execute system commands, take screen captures, create persistence, and download updates and auxiliary modules.

Fakterman further added, “The end goal for Moses Staff appears to be more politically motivated rather than financial. Moses Staff employs ransomware post-exfiltration, not for financial gain, but to disrupt operations, obfuscate espionage activity, and to inflict damage to systems to advance Iran’s geopolitical goals.”

Related Articles:
British Council Exposed More Than 100,000 Files with Student Records
Oiltanking GmbH and Mabanaft Gmbh – German Petrol Supply Firms Paralyzed By Cyber Attack
Iranian Hackers Use New A PowerShell Backdoor in Cyber Espionage Attacks