Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. Moses Staff

Moses Staff

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021.Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]

Security researchers assessMoses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]

ID: G1009
Associated Groups: DEV-0500, Marigold Sandstorm
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 2.0
Created: 11 August 2022
Last Modified: 11 April 2024

Associated Group Descriptions

NameDescription
DEV-0500

[3]

Marigold Sandstorm

[3]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1087.001Account Discovery:Local Account

Moses Staff has collected the administrator username from a compromised host.[1]

EnterpriseT1587.001Develop Capabilities:Malware

Moses Staff has built malware, such asDCSrv andPyDCrypt, for targeting victims' machines.[1]

EnterpriseT1190Exploit Public-Facing Application

Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.[1]

EnterpriseT1562.004Impair Defenses:Disable or Modify System Firewall

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.[1]

EnterpriseT1105Ingress Tool Transfer

Moses Staff has downloaded and installed web shells to following pathC:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.[1]

EnterpriseT1027.013Obfuscated Files or Information:Encrypted/Encoded File

Moses Staff has used obfuscated web shells in their operations.[1]

EnterpriseT1588.002Obtain Capabilities:Tool

Moses Staff has used the commercial tool DiskCryptor.[1]

EnterpriseT1021.002Remote Services:SMB/Windows Admin Shares

Moses Staff has used batch scripts that can enable SMB on a compromised host.[1]

EnterpriseT1505.003Server Software Component:Web Shell

Moses Staff has dropped a web shell onto a compromised system.[1]

EnterpriseT1553.002Subvert Trust Controls:Code Signing

Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.[1]

EnterpriseT1082System Information Discovery

Moses Staff collected information about the infected host, including the machine names and OS architecture.[1]

EnterpriseT1016System Network Configuration Discovery

Moses Staff has collected the domain name of a compromised network.[1]

Software

IDNameReferencesTechniques
S1033DCSrv[1]Create or Modify System Process:Windows Service,Data Encrypted for Impact,Masquerading:Masquerade Task or Service,Modify Registry,Native API,Obfuscated Files or Information:Encrypted/Encoded File,System Shutdown/Reboot,System Time Discovery
S0029PsExec[1]Create Account:Domain Account,Create or Modify System Process:Windows Service,Lateral Tool Transfer,Remote Services:SMB/Windows Admin Shares,System Services:Service Execution
S1032PyDCrypt[1]Command and Scripting Interpreter:Python,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:PowerShell,Deobfuscate/Decode Files or Information,Impair Defenses:Disable or Modify System Firewall,Indicator Removal:File Deletion,Masquerading:Match Legitimate Resource Name or Location,Obfuscated Files or Information:Encrypted/Encoded File,System Network Connections Discovery,System Owner/User Discovery,Windows Management Instrumentation
S1034StrifeWater[2]Command and Scripting Interpreter:Windows Command Shell,Data from Local System,Encrypted Channel:Symmetric Cryptography,Exfiltration Over C2 Channel,File and Directory Discovery,Indicator Removal:File Deletion,Ingress Tool Transfer,Masquerading:Match Legitimate Resource Name or Location,Native API,Scheduled Task/Job:Scheduled Task,Screen Capture,System Information Discovery,System Owner/User Discovery,System Time Discovery,Virtualization/Sandbox Evasion:Time Based Checks

References

×
[8]ページ先頭
©2009-2026 Movatter.jp