Skip to content

G1009 Moses Staff

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim’s networks without a ransom demand.1

Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.2

Item Value
ID G1009
Associated Names
Version 1.0
Created 11 August 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Moses Staff has collected the administrator username from a compromised host.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims’ machines.1
enterprise T1190 Exploit Public-Facing Application Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.1
enterprise T1105 Ingress Tool Transfer Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.1
enterprise T1027 Obfuscated Files or Information Moses Staff has used obfuscated web shells in their operations.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Moses Staff has used the commercial tool DiskCryptor.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Moses Staff has used batch scripts that can enable SMB on a compromised host.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Moses Staff has dropped a web shell onto a compromised system.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.1
enterprise T1082 System Information Discovery Moses Staff collected information about the infected host, including the machine names and OS architecture.1
enterprise T1016 System Network Configuration Discovery Moses Staff has collected the domain name of a compromised network.1

Software

ID Name References Techniques
S1033 DCSrv 1 Windows Service:Create or Modify System Process Data Encrypted for Impact Masquerade Task or Service:Masquerading Modify Registry Native API Obfuscated Files or Information System Shutdown/Reboot System Time Discovery
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1032 PyDCrypt 1 PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Match Legitimate Name or Location:Masquerading Obfuscated Files or Information System Network Connections Discovery System Owner/User Discovery Windows Management Instrumentation
S1034 StrifeWater 2 Windows Command Shell:Command and Scripting Interpreter Data from Local System Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Native API Scheduled Task/Job Screen Capture System Information Discovery System Owner/User Discovery System Time Discovery Time Based Evasion:Virtualization/Sandbox Evasion

References