MosesStaff attacks organizations with encryption malware: No payment demand made

Israeli firms are being targeted for purely political and destructive purposes.
Written by Charlie Osborne, Contributing Writer

The MosesStaff hacking group has entered the 'ransomware' fray with a difference: blackmail payments are furthest from their minds.

On November 15, Check Point Research (CPR) said the group began targeting organizations in Israel during September this year, joining campaigns launched by Pay2Key and BlackShadow

The focus of these operations was to deploy ransomware on their victim's systems, cause damage, and steal valuable information destined for future public leaks. 

Ransomware operators, including Maze, Conti, and LockBit, to name but a few, have adopted double-extortion tactics through the launch of dedicated data leak websites on the Dark Web. 

During an assault, these groups will steal valuable corporate information ahead of the encryption of a victim's systems. If they refuse to pay up, these organizations are then faced with the threat of this data being leaked to the public or sold. 

However, MosesStaff is open about its intentions: the attacks are political. No ransom demand is made -- the only purpose is to steal information and to cause damage. 

"In the language of the attackers, their purpose is to "Fight against the resistance and expose the crimes of the Zionists in the occupied territories," CPR says.

The researchers assume that initial access is obtained through vulnerabilities in public-facing systems, such as the bugs in Microsoft Exchange Server, which were patched earlier this year. 

Once access has been secured, MosesStaff then drops a webshell to execute further commands; batch scripts for disabling Windows firewall and to enable SMB; PsExec for operating processes remotely; and OICe.exe, an executable written in the Golang programming language for receiving and executing commands via the command line.  

Data is then exfiltrated from the victim machine, including domain names, machine names, and credentials -- information which is then used to compile a custom version of the PyDCrypt malware. This payload is focused on infecting any other vulnerable machines on a network as well as ensuring the main encryption payload, DCSrv, is executed properly. DCSrv is based on the open source DiskCryptor tool.

The DiskCryptor bootloader is also executed to ensure the system can't be booted again without a password. However, the researchers say that it may be possible to reverse the current encryption process if properly kept EDR records are available in the right circumstances.

Attribution is not firm in this case, but CPR suspects that they may be located in Palestine due to development time logs and coding clues in a tool used, OICe.exe, which was submitted to VirusTotal from Palestine several months before the campaign began. 

"Like the Pay2Key and BlackShadow gangs before them, the MosesStaff group is motivated by politics and ideology to target Israeli organizations," the researchers commented. "Unlike those predecessors, however, they made an outright mistake when they put together their own encryption scheme, which is honestly a surprise in today's landscape where every two-bit cybercriminal seems to know at least the basics of how to put together functioning ransomware."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards