[BreachExchange] MosesStaff attacks organizations with encryption malware: No payment demand made

Tue Nov 16 15:24:55 EST 2021

https://www.zdnet.com/article/mosesstaff-attackers-deploy-ransomware-on-your-systems-no-payment-no-decryption-possible/

The MosesStaff hacking group has entered the 'ransomware' fray with a
difference: blackmail payments are furthest from their minds.

On November 15, Check Point Research (CPR) said the group began targeting
organizations in Israel during September this year, joining campaigns
launched by Pay2Key and BlackShadow.

The focus of these operations was to deploy ransomware on their victim's
systems, cause damage, and steal valuable information destined for future
public leaks.

Ransomware operators, including Maze, Conti, and LockBit, to name but a
few, have adopted double-extortion tactics through the launch of dedicated
data leak websites on the Dark Web.

During an assault, these groups will steal valuable corporate information
ahead of the encryption of a victim's systems. If they refuse to pay up,
these organizations are then faced with the threat of this data being
leaked to the public or sold.

However, MosesStaff is open about its intentions: the attacks are
political. No ransom demand is made -- the only purpose is to steal
information and to cause damage.

"In the language of the attackers, their purpose is to "Fight against the
resistance and expose the crimes of the Zionists in the occupied
territories," CPR says.

The researchers assume that initial access is obtained through
vulnerabilities in public-facing systems, such as the bugs in Microsoft
Exchange Server, which were patched earlier this year.

Once access has been secured, MosesStaff then drops a webshell to execute
further commands; batch scripts for disabling Windows firewall and to
enable SMB; PsExec for operating processes remotely; and OICe.exe, an
executable written in the Golang programming language for receiving and
executing commands via the command line.

Data is then exfiltrated from the victim machine, including domain names,
machine names, and credentials -- information which is then used to compile
a custom version of the PyDCrypt malware. This payload is focused on
infecting any other vulnerable machines on a network as well as ensuring
the main encryption payload, DCSrv, is executed properly. DCSrv is based on
the open source DiskCryptor tool.

The DiskCryptor bootloader is also executed to ensure the system can't be
booted again without a password. However, the researchers say that it may
be possible to reverse the current encryption process if properly kept EDR
records are available in the right circumstances.

Attribution is not firm in this case, but CPR suspects that they may be
located in Palestine due to development time logs and coding clues in a
tool used, OICe.exe, which was submitted to VirusTotal from Palestine
several months before the campaign began.

"Like the Pay2Key and BlackShadow gangs before them, the MosesStaff group
is motivated by politics and ideology to target Israeli organizations," the
researchers commented. "Unlike those predecessors, however, they made an
outright mistake when they put together their own encryption scheme, which
is honestly a surprise in today's landscape where every two-bit
cybercriminal seems to know at least the basics of how to put together
functioning ransomware."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211116/45c2aa1d/attachment.html>