It is believed that a politically motivated hacker group linked to a series of eavesdropping and sabotage attacks against Israeli entities in 2021 used a previously undocumented remote access trojan (RAT) that masqueraded as the Windows Calculator app as part of a deliberate effort to remain under the radar. It has been months since the Cybereason Nocturnus Team has been chasing down members of the Iranian hacking organization known as the Moses Staff. The organization was discovered for the first time in October 2021, and they say that their purpose is to do harm to Israeli firms by disclosing sensitive, stolen data.

The group Moses Staff has been detected attacking organizations in a number of countries other than Israel, which appears to be the group’s primary objective. Some of these nations include Italy, India, Germany, Chile, Turkey, the United Arab Emirates, and the United States. The firm targets a wide range of businesses, including government, finance, travel, energy, manufacturing, and the utilities industry, to name a few examples.

Tom Fakterman, Cybereason security expert, stated in a report that the StrifeWater RAT appears to have been utilised in the early stages of this assault and that this stealthy RAT has the capacity to erase itself from the system to mask the Iranian group’s traces. The researchers write: “The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.”

As a result of research that has been made public about the group’s tactics and techniques (TTPs), the Cybereason Nocturnus team found a previously unknown Remote Access Trojan (RAT) in the Moses Staff’s arsenal, which they have named “StrifeWater.”

Earlier this year, Check Point Research revealed that Moses Staff had been behind a series of attacks against Israeli organizations dating back to September 2021, with the goal of disrupting their business operations by encrypting their networks and leaving them with no way to regain access or negotiate a ransom. During the first stages of the attack, the StrifeWater RAT appears to have been employed, and this stealthy RAT has the capability of removing itself from the system in order to obscure the Iranian group’s traces. Other features of the RAT include the ability to execute commands and capture screen images, as well as the ability to download more extensions. Cybereason has discovered a new piece of the attack puzzle in the form of a remote access tool (RAT) that is deployed under the name “calc.exe” (the Windows Calculator binary) and is used during the early stages of the infection chain, only to be removed prior to the deployment of the file-encrypting malware. The researchers believe that the removal and subsequent replacement of the malicious calculator executable with a legitimate binary is an attempt by the threat actor to cover up tracks and erase evidence of the trojan, as well as to avoid detection until the final phase of the attack, when the ransomware payload is executed.

As for StrifeWater, it offers the same functions as the rest of the pack, including the ability to view system files, perform system commands, take screen grabs, generate persistence, and download updates and auxiliary modules. StrifeWater is available for free from the official website. Ultimately, Fakterman stated, “The end goal for Moses Staff appears to be more politically motivated than financial,” According to the report, “Moses Staff employs ransomware post-exfiltration not for financial gain, but to disrupt operations, obfuscate espionage activity, and inflict damage to systems to advance Iran’s geopolitical goals.”

 

Features & Functions of ‘StrifeWater’

• Novel Remote Access Trojan: A newly undocumented RAT dubbed “StrifeWater” is assessed to be part of the arsenal used by Iranian APT Moses Staff. The RAT is assessed to be specifically used in the initial phase of infection and is later replaced with other tools.
• Multiple Functionalities: The StrifeWater RAT has various capabilities, among them: listing system files, executing system commands, taking screen captures, creating persistence, and downloading updates and auxiliary modules.
• Under the Radar: The StrifeWater RAT appears to have been removed from the infected environment in time for the deployment of the ransomware. This is likely the reason the RAT was not detected before.
• State-Sponsored Ransomware: Moses Staff employs ransomware post-exfiltration not for financial gain, but to disrupt operations, obfuscate espionage activity, and inflict damage to systems to advance Iran’s geopolitical goals.

It appears from our investigation that the Moses Staff operators make purposeful attempts to remain under the radar and escape discovery until the last phase of the operation, when they distribute and execute the ransomware payload they have developed. Our investigation has also revealed that the Moses Staff’s mode of operation includes attempts to pass its arsenal off as legitimate Windows software, in addition to the removal of their initial persistence and reconnaissance tools, among other things. This strategy helps keep investigators from knowing the full scope of the attack, so the StrifeWater RAT went unnoticed during the investigation.

Moses Staff’s objectives appear to be consistent with Iran’s cyber warfare strategy, which calls for sabotaging government, military, and civilian groups associated with Iran’s geopolitical adversaries. In contrast to criminal cybercrime groups that employ ransomware to compel their victims into paying a ransom price, the Moses Staff gang is suspected of leaking critical material without demanding a ransom price, and it has already been determined that their intentions are political in nature.

 

Preventive Methods

1. Find out what hardware and software assets are connected to the network before defending against a ransomware infection. Active discovery can help, but it won’t uncover assets that have been deployed by employees from other departments. In light of this limitation, one should use passive discovery to build a comprehensive asset inventory and to keep that list of connected hardware and software current.
2. A playbook is necessary for both preparing for and recovering from an attack. Both an IR playbook and an IR framework can help organizations plan for a wide range of attacks, including ransomware, in the event of an incident.
3. This is the third step, make sure not to install any applications that could pose a threat to the system. Adding applications to an allowed list is a good way to approve which programme systems can run in accordance with the organization’s security policies.
4. Detect and respond to ransomware actions, strategies, and moves before the threat is at its highest level. The detection and prevention of ransomware components is made possible using multi-layered defences, which put an end to an attack before any damage is done.