Earlier this month , The hacker team using a previously unknown (RAT) called “StrifeWater” that masquerades as the Windows Calculator software to avoid detection. Moses Staff is thought to be supported by the Iranian government, with assaults recorded targeting entities in Israel, Italy, India, Germany, Chile, Turkey, the UAE and the US.
As part of a new operation that only targets Israeli enterprises, the politically motivated Moses Staff hacker group has been detected deploying an unique multi-component toolset with the purpose of carrying out espionage against its targets.
FortiGuard Labs reported that , “close examination reveals that the group has been operational for over a year, considerably earlier than the group’s initial official public exposure, managing to stay under the radar with an extraordinarily low detection rate.”
The most recent threat activity involves an attack route that uses the Microsoft Exchange ProxyShell vulnerability as an initial infection vector to deploy two web shells, followed by the exfiltration of Outlook Data Files (.PST) from the compromised server.
The infection chain continues with an attempt to steal credentials by dumping the memory contents of a vital Windows process named Local Security Authority Subsystem Service (Lsass.exe), followed by the installation and activation of the “StrifeWater” backdoor (broker.exe).
The installation of the “Broker” implant, which is used to execute commands retrieved from a remote server, download files, and exfiltrate data from target networks, is made easier by a loader nicknamed “DriveGuard” that poses as a “Hard Disk Drives Fast Stop Service” (drvguard.exe).
StrifeWater is also known for posing as the Windows Calculator app (calc.exe), with FortiGuard Labs analysts uncovering two older samples dating back to the end of December 2020, indicating that the campaign has been active for more than a year.
Finally the researchers concluded that , “the organisation is extremely motivated, capable and intent on causing harm to Israeli entities. They continue to rely on 1-day exploits for their initial intrusion phase at this time. Although the attacks we discovered were carried out for espionage reasons, this does not rule out the possibility that the hackers will later use harmful methods.”