Check Point Research said in a report released Monday. “The attackers goal is to fight against the resistance and expose the crimes of the Zionists in the occupied territories.”
Since September 2021, a new politically motivated hacker group known as “Moses Staff” has been linked to a wave of targeted attacks against Israeli organisations with the goal of stealing and leaking sensitive information before encrypting their networks, with no ransom demand.
Initial access to users networks is most likely gained by exploiting known vulnerabilities in publicly accessible infrastructure such as Microsoft Exchange Servers.
PsExec, WMIC, and Powershell are used to perform lateral movement within infected networks.
The attacks use the open-source library DiskCryptor to perform volume encryption and to lock the victims’ computers with a bootloader that prevents them from booting without the correct password.
Under certain conditions, the group’s current encryption method may be reversible.
The main goals of PyDCrypt are to infect other computers and to make sure the main payload, DCSrv, is executed properly. The executable is written in Python and compiled with PyInstaller with encryption, using the –key flag during the build phase. As we mentioned previously, the attackers build a new sample for each infected organization and hardcode the parameters collected from the user’s environment:
The main workflow of the malware:
- Create a lock file to prevent multiple instances of malware from running at the same time.
Decrypt and drop DCSrv (named C:\Users\Public\svchost.exe) to the disk and execute it. The encryption algorithm is based on XOR and multiple Base64 encoding operations.
Moses Staff also needs to promote their attacks on Twitter and Telegram, with malicious activity reported as recently as November 14. It has targeted over 257 websites and stolen data and documents totaling 34 terabytes. Furthermore, the online portal encourages others to join them in “exposing the crimes of the Zionists in occupied Palestine.”
Finally the researchers concluded that “Moses Staff are still active, pushing provocative messages and videos through their social media accounts,” the vulnerabilities exploited in the group’s attacks are not zero days, all potential victims can protect themselves by patching all publicly-facing systems immediately.
Indicators Of Compromise:
Hash Description Name
680ce7d56fc427ee2fbedb5baea59d68 MosesStaff Webshell V1 IISpool.aspx
1094aa25e2d637e7f5795edd6c0f60e4 MosesStaff Webshell V2 IISpool.aspx
5ffc255557796512798617ae61c4274d MosesStaff Webshell V2 IISpool.aspx
3dde69212234c98b503081d64b9beb52 MosesStaff Webshell V2 IISpool.aspx
a44775e7568b790505bbcaadbd61c993 MosesStaff Webshell V2 IISpool.aspx
3649c106c6edd7ef47acd46586c74d8e MosesStaff Webshell V2 warn.aspx
c1bc20a9bbebbbdd19869999b9cec03b MosesStaff Webshell V2 IISpool.aspx
a06c125e6da566be67aacf6c4e44005e CMD wrapper OICe.exe
e776c4e24c00fa3eeba68cde38ae24f3 PyDCrypt csrss.exe
3dfb7626dbe46136bc19404b63c6d1dc PyDCrypt csrss.exe
7be30062c1a2c42a7061dfbfec364588 DCSrv svchost.exe
93c19436e6e5207e2e2bed425107f080 DCSrv svvhost.exe
2372c7639e70820f253a098dfcaf5060 Bootloader Installer svchost.dll