Moses Staff Uses New StrifeWater RAT in Ransomware

A previously undocumented remote access trojan (RAT) disguised as the Windows Calculator app was used by a politically motivated threat group in an effort to remain under the radar. A cybersecurity company called the malware “StrifeWater” while tracking the operations of Moses Staff, an Iranian threat actor with connections to espionage and sabotage attacks on Israeli companies. The StrifeWater RAT is used during the initial stage of the attack and has the ability to remove itself from the system to cover the threat operators’ tracks. Additional capabilities of the RAT include command execution, screen capturing, and the ability to download additional extensions. Moses Staff emerged in perpetrating a series of attacks targeting Israeli organizations intending to disrupt the target’s business operations by encrypting their networks with no possibility of regaining access or negotiating a ransom.

StrifeWater RAT Used By Moses Staff

The intrusions rely on the open-source library DiskCryptor to perform volume encryption and use a bootloader to infect systems, preventing them from starting without the correct encryption key. Italy, India, Germany, Chile, Turkey, the United Arab Emirates, and the United States were also victims of the attacks. A cybersecurity company discovered a new attack puzzle piece in the RAT form that’s deployed under “calc.exe” (the Windows Calculator binary) and used during the early infection chain stages, only to be removed before the deployment of the file-encrypting malware.

The researchers suspect that removing and replacing the malicious calculator executable with the legitimate binary is the threat actor’s attempt to evade detection and remove evidence of the trojan until the final phase of the attack when the ransomware payload is executed. StrifeWater shares similar features with its counterpart, including the ability to list system files, execute system commands, take screen captures, create persistence, and download updates and auxiliary modules. Moses Staff’s ultimate goal is politically motivated as they employ ransomware post-exfiltration, not for financial gain, but to disrupt operations, obfuscate espionage activity, and cause damage to systems to advance Iran’s geopolitical goals.

With hacking groups developing new innovative malware and attack methods, it’s crucial for companies to maintain a deep understanding of the evolving threat landscape and improve network security to prevent potential threats. At SpearTip, you can trust our certified engineers’ ability to quickly respond to any threats with one of the fastest response times in the industry, reclaim companies’ networks within hours, and restore operations. Our engineers at our Security Operations Centers continuously monitor various networks 24/7 for potential threats like Moses Staff. The most effective way for companies to remain ahead of current threats is through proactive measures. SpearTip’s ShadowSpear, our endpoint detection and response platform, is a great proactive tool that optimizes visibility, blocks ransomware and prevents threat groups from exploiting network backdoors.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.