A politically motivated hacking gang linked to a series of espionage and sabotage attacks against Israeli companies in 2021 is employing a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator application as part of a deliberate effort to stay under the radar. The malware was nicknamed “StrifeWater” by cybersecurity firm Cybereason, which has been following the activity of the Iranian actor known as Moses Staff.
“The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks,” Tom Fakterman, as said by Cybereason security analyst in a report. “The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.”
Check Point Research revealed a series of attacks targeting Israeli enterprises since September 2021 to interrupt the target’s economic activities by encrypting their networks and leaving the victim with no choice to regain access or pay a ransom. The breaches were remarkable for encrypting volumes using the open-source library DiskCryptor and infecting the computers with a bootloader that stops them from starting without the necessary encryption key.
Italy, India, Turkey, Chile, the United Arab Emirates, Germany, and the United States have all recorded victims thus far. Cybereason has identified a new piece of the jigsaw attack in the shape of a RAT installed under the name “calc.exe” (the Windows Calculator binary) and is employed during the infection chain’s early stages, only to be deleted before the file-encrypting malware is distributed.
The researchers believe that the malicious calculator executable was removed and replaced with the legal code. It is an attempt by the threat actor to hide their traces and clear evidence of the trojan, as well as elude detection until the ransomware payload is executed in the final phase of the attack. StrifeWater, on the other hand, is similar to its competitors and has many useful functions, including the ability to list system files, run system commands, take screenshots, generate persistence, and download updates and auxiliary modules.