Check Point Research said in a report released Monday. “The attackers goal is to fight against the resistance and expose the crimes of the Zionists in the occupied territories.”

Since September 2021, a new politically motivated hacker group known as “Moses Staff” has been linked to a wave of targeted attacks against Israeli organisations with the goal of stealing and leaking sensitive information before encrypting their networks, with no ransom demand.

Initial access to users networks is most likely gained by exploiting known vulnerabilities in publicly accessible infrastructure such as Microsoft Exchange Servers.

PsExec, WMIC, and Powershell are used to perform lateral movement within infected networks.

The attacks use the open-source library DiskCryptor to perform volume encryption and to lock the victims’ computers with a bootloader that prevents them from booting without the correct password.

Under certain conditions, the group’s current encryption method may be reversible.

The main goals of PyDCrypt are to infect other computers and to make sure the main payload, DCSrv, is executed properly. The executable is written in Python and compiled with PyInstaller with encryption, using the –key flag during the build phase. As we mentioned previously, the attackers build a new sample for each infected organization and hardcode the parameters collected from the user’s environment:

The main workflow of the malware:

  • Create a lock file to prevent multiple instances of malware from running at the same time.

Decrypt and drop DCSrv (named C:\Users\Public\svchost.exe) to the disk and execute it. The encryption algorithm is based on XOR and multiple Base64 encoding operations.

Moses Staff also needs to promote their attacks on Twitter and Telegram, with malicious activity reported as recently as November 14. It has targeted over 257 websites and stolen data and documents totaling 34 terabytes. Furthermore, the online portal encourages others to join them in “exposing the crimes of the Zionists in occupied Palestine.”

Finally the researchers concluded that “Moses Staff are still active, pushing provocative messages and videos through their social media accounts,” the vulnerabilities exploited in the group’s attacks are not zero days, all potential victims can protect themselves by patching all publicly-facing systems immediately.

Indicators Of Compromise:


Hash      Description         Name

680ce7d56fc427ee2fbedb5baea59d68    MosesStaff Webshell V1              IISpool.aspx

1094aa25e2d637e7f5795edd6c0f60e4     MosesStaff Webshell V2              IISpool.aspx

5ffc255557796512798617ae61c4274d       MosesStaff Webshell V2              IISpool.aspx

3dde69212234c98b503081d64b9beb52   MosesStaff Webshell V2              IISpool.aspx

a44775e7568b790505bbcaadbd61c993    MosesStaff Webshell V2              IISpool.aspx

3649c106c6edd7ef47acd46586c74d8e     MosesStaff Webshell V2              warn.aspx

c1bc20a9bbebbbdd19869999b9cec03b   MosesStaff Webshell V2              IISpool.aspx

a06c125e6da566be67aacf6c4e44005e     CMD wrapper    OICe.exe

e776c4e24c00fa3eeba68cde38ae24f3     PyDCrypt             csrss.exe

3dfb7626dbe46136bc19404b63c6d1dc    PyDCrypt             csrss.exe

7be30062c1a2c42a7061dfbfec364588      DCSrv    svchost.exe

93c19436e6e5207e2e2bed425107f080    DCSrv    svvhost.exe

2372c7639e70820f253a098dfcaf5060       Bootloader Installer        svchost.dll

File paths












–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s