Moses Staff Hacker Group Using New StrifeWater RAT

Moses Staff Hacker Group Using New StrifeWater RAT

Short News:- 

Cybersecurity firm tracks Iranian actor known as Moses Staff behind anti-Israel malware. Remote access trojan called StrifeWater masquerades as Windows Calculator app. Researchers believe the group is attempting to cover their tracks and erase evidence of the trojan's existence.

Detailed News:- 

Anti-Israeli hacker groups in 2021 used the Windows Calculator app to hide their activities from detection by using an undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app.

StrifeWater" is the name Cybereason, a cybersecurity firm that has been tracking the Iranian actor known as Moses Staff has given to the malware.

According to a Cybereason report, "The StrifeWater RAT appears to be used in the initial stage of an attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group's tracks." "Other capabilities of the RAT include command execution, screen capture, and the ability to download additional extensions."

It was discovered that Moses Staff had been targeting Israeli organizations since September 2021, when Check Point Research discovered a string of attacks aimed at encrypting the targets' networks and preventing them from being decrypted except by paying a ransom.

Apart from infecting systems with a bootloader that prevents them from booting up without the correct encryption key, these intrusions were notable for using the open-source library DiskCryptor to perform volume encryption.

More than a dozen countries outside of Israel have reported cases of victims of the smuggling of weapons of mass destruction (WMDs).

After discovering a new piece of the attacking puzzle, Cybereason discovered that the "calc.exe" (the Windows Calculator binary) RAT was deployed and used in the early stages of infection, but was then removed before file-encrypting malware was deployed.

Researchers believe that the threat actor is attempting to cover their tracks and erase evidence of the trojan by removing and replacing the malicious calculator executable with a legitimate binary. This will allow them to evade detection until the final phase of the attack when the ransomware payload is executed.

Among the many features, StrifeWater offers are the ability to list system files, run system commands, take screenshots, create persistence, and download updates and auxiliary modules. StrifeWater is no different from its competitors in this regard.

Ultimately, Moses Staff's motivations appear to be more political than financial, according to Fakterman. This ransomware post-exfiltration is being used by the Moses Staff to disrupt operations, obfuscate spying activity, and cause damage to systems to further Iran's geopolitical goals, not for financial gain."