Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Moses Staff
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Moses Staff
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Moses Staff

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)
ID: G1009
Associated Groups: DEV-0500, Marigold Sandstorm
Version: 2.0
Created: 11 Aug 2022
Last Modified: 11 Apr 2024

Associated Group Descriptions
Name Description
DEV-0500 (Citation: Microsoft Threat Actor Naming July 2023)
Marigold Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Moses Staff has collected the administrator username from a compromised host.(Citation: Checkpoint MosesStaff Nov 2021)
Enterprise T1587 .001 Develop Capabilities: Malware

Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.(Citation: Checkpoint MosesStaff Nov 2021)
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.(Citation: Checkpoint MosesStaff Nov 2021)
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Moses Staff has used obfuscated web shells in their operations.(Citation: Checkpoint MosesStaff Nov 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

Moses Staff has used the commercial tool DiskCryptor.(Citation: Checkpoint MosesStaff Nov 2021)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Moses Staff has used batch scripts that can enable SMB on a compromised host.(Citation: Checkpoint MosesStaff Nov 2021)
Enterprise T1505 .003 Server Software Component: Web Shell

Moses Staff has dropped a web shell onto a compromised system.(Citation: Checkpoint MosesStaff Nov 2021)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.(Citation: Checkpoint MosesStaff Nov 2021)

Software
ID Name References Techniques
S1032 PyDCrypt (Citation: Checkpoint MosesStaff Nov 2021) Python, Windows Command Shell, Match Legitimate Name or Location, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, System Network Connections Discovery, Encrypted/Encoded File, PowerShell, Windows Management Instrumentation, System Owner/User Discovery, File Deletion
S1033 DCSrv (Citation: Checkpoint MosesStaff Nov 2021) Masquerade Task or Service, Windows Service, System Shutdown/Reboot, Modify Registry, Encrypted/Encoded File, System Time Discovery, Data Encrypted for Impact, Native API
S1034 StrifeWater (Citation: Cybereason StrifeWater Feb 2022) System Owner/User Discovery, Scheduled Task/Job, Windows Command Shell, Native API, Symmetric Cryptography, Screen Capture, Match Legitimate Name or Location, Time Based Evasion, Exfiltration Over C2 Channel, System Time Discovery, System Information Discovery, File and Directory Discovery, Data from Local System, Ingress Tool Transfer, File Deletion
S0029 PsExec (Citation: Checkpoint MosesStaff Nov 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  2. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.