Deciphering Moses Staff APT’s Persistent Attacks Against Israeli Organizations

Background

• In September 2021, CheckPoint researchers first spotted activities related to the Moses Staff hacking group.
• The group is the third of its kind that majorly targets Israeli organizations, after Pay2Key and Black Shadow attack groups.
• Researchers noted that the politically-motivated hacking group did not engage in a ransom negotiation process after encrypting a victim’s data.  
• It leveraged old vulnerabilities such as unpatched Microsoft Exchange servers to breach networks. They used PSExec, WMIC, and PowerShell to move deeper inside the victim’s network.
• The hackers also operate a Telegram channel and Twitter account where they announce new victims they add to their leak site.

What’s the latest update?

• As per a new update shared by Cybereason Nocturnus Team, the APT group has made improvements in tactics and techniques to target several organizations located across Italy, India, Germany, China, Turkey, the UAE, and the U.S.
• The hacker group has also been associated with a new StrifeWater RAT that is capable of capturing screenshots, executing malicious commands, and downloading additional extensions.
• A variant of PyDCrypt, StrifeWater RAT was used by Moses Staff in the initial stage of the attack. 
• In a different finding, the Iran-backed threat actors were blamed for exploiting various Microsoft Exchange servers for targeting Israeli organizations. As a part of this attack campaign that spanned for several months, Moses Staff had used a new set of tools, including a backdoor, a loader, and a web shell. 

Conclusion