Skip to content

S1034 StrifeWater

StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.1

Item Value
ID S1034
Associated Names
Version 1.0
Created 15 August 2022
Last Modified 11 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell StrifeWater can execute shell commands using cmd.exe.1
enterprise T1005 Data from Local System StrifeWater can collect data from a compromised host.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography StrifeWater can encrypt C2 traffic using XOR with a hard coded key.1
enterprise T1041 Exfiltration Over C2 Channel StrifeWater can send data and files from a compromised host to its C2 server.1
enterprise T1083 File and Directory Discovery StrifeWater can enumerate files on a compromised host.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion StrifeWater can self delete to cover its tracks.1
enterprise T1105 Ingress Tool Transfer StrifeWater can download updates and auxiliary modules.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location StrifeWater has been named calc.exe to appear as a legitimate calculator program.1
enterprise T1106 Native API StrifeWater can use a variety of APIs for execution.1
enterprise T1053 Scheduled Task/Job StrifeWater has create a scheduled task named Mozilla\Firefox Default Browser Agent 409046Z0FF4A39CB for persistence.1
enterprise T1113 Screen Capture StrifeWater has the ability to take screen captures.1
enterprise T1082 System Information Discovery StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.1
enterprise T1033 System Owner/User Discovery StrifeWater can collect the user name from the victim’s machine.1
enterprise T1124 System Time Discovery StrifeWater can collect the time zone from the victim’s machine.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion StrifeWater can modify its sleep time responses from the default of 20-22 seconds.1

Groups That Use This Software

ID Name References
G1009 Moses Staff 1