The ‘Moses Staff’ Hacker Group Is Using The New StrifeWater RAT In Ransomware Attacks.

Cybereason security analyst Tom Fakterman reported that ,” The StrifeWater RAT appears to be used in the early stages of the attack, and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks.  “The RAT also has command execution and screen capturing capabilities, as well as the ability to download additional extensions.”

The malware was dubbed “StrifeWater” by Cybereason, a cybersecurity firm that has been tracking the operations of the Iranian actor known as Moses Staff.

Key Findings

  • StrifeWater, a newly undocumented remote access Trojan, has been identified as part of the arsenal used by Iranian APT Moses Staff. The RAT is evaluated to be used specifically in the early stages of infection and is later replaced with other tools.
  • Various Functions: The StrifeWater RAT has a number of features, including the ability to list system files, execute system commands, take screen captures, create persistence, and download updates and auxiliary modules.
  • On the Lookout for: The StrifeWater RAT appears to have been removed from the infected environment in time for the ransomware to be deployed. This is most likely why the RAT was not detected earlier.
  • Government-Sponsored Ransomware: Moses Staff uses ransomware after exfiltration not for financial gain, but to disrupt operations, conceal espionage activity, and inflict harm.

As part of a deliberate effort to stay under the radar, a politically motivated hacker group linked to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app.

Check Point Research revealed a series of attacks aimed at Israeli organisations since September 2021 with the goal of disrupting the target’s business operations by encrypting their networks, with no option to regain access or negotiate a ransom.

StrifeWater’s main capabilities are as follows:

  • Listing system files
  • Executing shell commands using cmd.exe
  • Taking screen captures
  • Creating persistence through a scheduled task 
  • Downloading updates and auxiliary modules

The researchers analysed   that the removal and subsequent replacement of the malicious calculator executable with the legitimate binary is an attempt by the threat actor to cover up tracks and erase evidence of the trojan, as well as to evade detection until the final phase of the attack, when the ransomware payload is executed.

Finally the researchers concluded that ,” Moses Staff uses ransomware after exfiltration not for financial gain, but to disrupt operations, obfuscate espionage activity, and inflict system damage in order to advance Iran’s geopolitical goals. The ultimate goal for Moses Staff appears to be more political than financial”.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s