G1009 Moses Staff
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim’s networks without a ransom demand.1
Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.2
Item | Value |
---|---|
ID | G1009 |
Associated Names | |
Version | 1.0 |
Created | 11 August 2022 |
Last Modified | 24 October 2022 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1087 | Account Discovery | - |
enterprise | T1087.001 | Local Account | Moses Staff has collected the administrator username from a compromised host.1 |
enterprise | T1587 | Develop Capabilities | - |
enterprise | T1587.001 | Malware | Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims’ machines.1 |
enterprise | T1190 | Exploit Public-Facing Application | Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.1 |
enterprise | T1562 | Impair Defenses | - |
enterprise | T1562.004 | Disable or Modify System Firewall | Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.1 |
enterprise | T1105 | Ingress Tool Transfer | Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx .1 |
enterprise | T1027 | Obfuscated Files or Information | Moses Staff has used obfuscated web shells in their operations.1 |
enterprise | T1588 | Obtain Capabilities | - |
enterprise | T1588.002 | Tool | Moses Staff has used the commercial tool DiskCryptor.1 |
enterprise | T1021 | Remote Services | - |
enterprise | T1021.002 | SMB/Windows Admin Shares | Moses Staff has used batch scripts that can enable SMB on a compromised host.1 |
enterprise | T1505 | Server Software Component | - |
enterprise | T1505.003 | Web Shell | Moses Staff has dropped a web shell onto a compromised system.1 |
enterprise | T1553 | Subvert Trust Controls | - |
enterprise | T1553.002 | Code Signing | Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.1 |
enterprise | T1082 | System Information Discovery | Moses Staff collected information about the infected host, including the machine names and OS architecture.1 |
enterprise | T1016 | System Network Configuration Discovery | Moses Staff has collected the domain name of a compromised network.1 |