Moses Staff

Threat Actor updated a month ago (2024-11-29T14:34:46.324Z)

Download STIX

Preview STIX

Moses Staff, an Iranian Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity threat. The Cybereason Nocturnus Team has been monitoring the activities of this group since 2021, and it has been linked to several major ransomware-style attacks. Initially categorized as hacktivists, more in-depth analysis revealed that Moses Staff's operations are more sophisticated than typical hacktivist activities, posing a greater threat. Notably, they have deployed an undocumented Remote Access Trojan (RAT) named StrifeWater in the initial stages of their attacks, demonstrating a high level of technical expertise. The discovery of the StrifeWater RAT was facilitated by the analysis of a new variant of the PyDCrypt malware used by Moses Staff. This RAT is being used in targeted ransomware attacks and its deployment indicates a shift towards more advanced and persistent threats. The group's tactics include phishing attacks and remote exploitation, which align with the MITRE AT&CK Framework, a globally-accessible knowledge base of adversary tactics and techniques. Furthermore, Moses Staff's activities have shown overlaps with other known Iranian hacktivist groups, further complicating attribution efforts. Moses Staff has been implicated in several high-profile cyberattacks, including a claim to have hacked the Israeli Dorad power facility. However, these claims were found to be recycled from a previous breach announced in June 2022. The group has also been associated with other pro-Iranian government fronts like N3tW0rm and Agrius, indicating a coordinated effort among these entities. Additionally, the group has been connected to the Karma operation, a pro-Hamas hacktivist campaign deploying the BiBi-Linux Wiper malware against Israeli targets. Overall, the group's sophisticated tactics and persistent nature have led to its elevation from a hacktivist group to APT status.

Description last updated: 2024-07-09T13:20:04.425Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Apt

Ransom

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The DCSrv Malware is associated with Moses Staff. DCSrv is a variant of ransomware developed by the threat group known as Moses Staff. According to research conducted by the Cybereason Nocturnus team, DCSrv was discovered as part of the Moses Staff arsenal, alongside other tools such as PyDCrypt and StrifeWater. The malware disguises itself as the	Unspecified	2
The PyDCrypt Malware is associated with Moses Staff. PyDCrypt is a malicious software (malware) variant deployed by the Moses Staff group, primarily targeting Israeli companies. The malware is written in Python and built with PyInstaller, designed to infect other computers on a network and execute the main payload, DCSrv. It is typically used in the l	Unspecified	2
The StrifeWater Malware is associated with Moses Staff. StrifeWater is a stealthy Remote Access Trojan (RAT) used in targeted ransomware attacks, primarily deployed by the Iranian APT group, Moses Staff. This malware has been identified as a key tool for initial infiltration and reconnaissance on compromised targets, with various capabilities including l	Unspecified	2

Source Document References

Information about the Moses Staff Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	6 months ago	Leaks and Revelations: A Web of IRGC Networks and Cyber Companies
DARKReading	9 months ago	Saudi Arabia, UAE Top List of APT-Targeted Nations in the Middle East
InfoSecurity-magazine	a year ago	New Leaks Expose Web of Iranian Intelligence and Cyber Companies
Recorded Future	a year ago	Leaks and Revelations: A Web of IRGC Networks and Cyber Companies
CERT-EU	a year ago	Pennsylvania water facility hit by Iran-linked hackers
CERT-EU	a year ago	Windows systems targeted by new BiBi wiper malware version
CERT-EU	a year ago	Israel warns of BiBi wiper attacks targeting Linux and Windows
CERT-EU	a year ago	New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks
Flashpoint	a year ago	Cyber Escalation in Modern Conflict: Exploring Four Possible Phases of the Digital Battlefield
Securelist	a year ago	A hack in hand is worth two in the bush
CERT-EU	a year ago	A hack in hand is worth two in the bush
BankInfoSecurity	a year ago	Israel-Hamas War: Publicity-Seeking Hacktivists Take Sides
MITRE	2 years ago	StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations
MITRE	2 years ago	PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
CERT-EU	2 years ago	Israel Faces Fresh Wave of Cyberattacks Targeting Critical Infrastructure