As part of a new operation that only targets Israeli enterprises, the politically motivated Moses Staff hacking group has been detected deploying a customized multi-component toolset to carry out espionage against its targets. Moses Staff is thought to be supported by the Iranian government, with attacks recorded targeting entities in Israel, Germany, Italy, India, Turkey, Chile, United Arab Emirates, and the United States.
“Close examination reveals that the group has been active for over a year, much earlier than the group’s first official public exposure, managing to stay under the radar with an extremely low detection rate,” findings from FortiGuard Labs reveal.
The most recent threat activity comprises an attack path that uses the Microsoft Exchange ProxyShell flaw as an initial infection vector to install two web shells, followed by the exfiltration of Outlook Data Files (.PST) from the infected server. The infection chain continues with an attempt to steal credentials by dumping the memory contents of a vital Windows process named Local Security Authority Subsystem Service (Lsass.exe), followed by the installation and activation of the “StrifeWater” backdoor (broker.exe).
The deployment of the “Broker” implant, which is used to run commands retrieved from a remote server, download files, and exfiltrate data from target networks, is made more accessible by a loader nicknamed “DriveGuard” (drvguard.exe) that poses as a “Hard Disk Drives Fast Stop Service.” Furthermore, the loader is in charge of launching a watchdog mechanism (“lic.dll”) that guarantees the DriveGuard’s service is never interrupted by resuming it whenever it is halted, as well as assuring that the loader is programmed to run automatically on system startup.
The broker backdoor, for its part, may also use a CMD command to remove itself from the drive, take screenshots, and update the malware to replace the current module on the system with a file received from the server. StrifeWater is also known for posing as the Windows Calculator software (calc.exe), with FortiGuard Labs analysts uncovering two older samples going back to the end of December 2020, indicating that the campaign has been active for more than a year.
Moses Staff’s attribution is predicated on parallels in the web shells used in past revealed attacks, as well as its victimology pattern. “The group is highly motivated, capable, and set on damaging Israeli entities,” the researchers said. “At this point, they continue to depend on 1-day exploits for their initial intrusion phase. Although the attacks we identified were carried out for espionage purposes, this does not negate the possibility that the operators will later turn to destructive measures.”