S1033 DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.1
| Item | Value |
|---|---|
| ID | S1033 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 11 August 2022 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | DCSrv has created new services for persistence by modifying the Registry.1 |
| enterprise | T1486 | Data Encrypted for Impact | DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | DCSrv has masqueraded its service as a legitimate svchost.exe process.1 |
| enterprise | T1112 | Modify Registry | DCSrv has created Registry keys for persistence.1 |
| enterprise | T1106 | Native API | DCSrv has used various Windows API functions, including DeviceIoControl, as part of its encryption process.1 |
| enterprise | T1027 | Obfuscated Files or Information | DCSrv‘s configuration is encrypted.1 |
| enterprise | T1529 | System Shutdown/Reboot | DCSrv has a function to sleep for two hours before rebooting the system.1 |
| enterprise | T1124 | System Time Discovery | DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1009 | Moses Staff | 1 |