Moses employee Hackers target Israeli organizations for cyber espionage

The politically motivated Moses Staff hacker group was found to be using a custom multi-component toolkit with the goal of carrying out espionage against their targets as part of a new campaign exclusively for the organization. rights of Israeli institutions.

First publicly recorded in late 2021, Moses Staff is believed to be funded by the Iranian government, with reported attacks targeting entities in Israel, Italy, India, Germany, Chile, Turkey, UAE and USA.

Earlier this month, the hacker group was observed to combine a remote access trojan formerly undocumented (RAT) named “StrifeWater” masquerading as a Windows Calculator app to avoid detection.

“Close examination reveals that the group has been active for more than a year, much earlier than the group’s first official public exposure, trying to stay in the spotlight with an extremely low detection rate,” said the statement. present from FortiGuard Labs revealed.

The latest threat activity involves an attack pipeline that takes advantage of the vulnerability ProxyShell in Microsoft Exchange servers as the initial infection vector to deploy two web shells, followed by expulsion of Outlook data files (.PST) from the compromised server.

The next stages of the infection chain involve attempts to steal information accuracy by dumping the memory contents of a critical Windows process called the Local Security Authority System Service (Lsass.exe), before dropping and loading the “StrifeWater” backdoor (broker.exe).

The installation of the “Broker” implant, which is used to execute commands downloaded from remote servers, download files, and retrieve data from target networks, is aided by a loader masquerading as “Translator”. hard disk quick stop” is named “DriveGuard” (drvguard.exe).

On top of that, the loader is also responsible for launching a watchdog mechanism (“lic.dll”) that ensures its own service is never interrupted by restarting DriveGuard every time it stops as well as make sure that the loader is configured to run automatically at system startup.

For its part, the broker backdoor is also equipped to remove itself from the disk with the CMD command, take screenshots and update the malware to replace the current module on the system with the file received from the machine. owner.

StrifeWater is also notable for its attempt to maintain visibility by posing as the Windows Calculator application (calc.exe), with FortiGuard Labs researchers uncovering two older models dating back to late December 2020 , showing that the campaign has been active for more than a year.

The allocation to Moses Staff is based on similarities in the web shells used in the previously disclosed attacks and its victim pattern.

“The group is highly motivated, capable and determined to cause damage to Israeli entities,” the researchers said. “At this point, they continue to depend on 1-day mining sessions for their initial infiltration phase. While the attacks we identified were carried out for espionage purposes, this does not negate the possibility that miners would then turn to destructive measures.”

.