MosesStaff Locks Up Targets, with No Ransom Demand, No Decryption

2021-11-16 18:29

The MosesStaff hacking group is aiming politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible, researchers warned.

Unlike other anti-Zionist hacktivists like the Pay2Key and BlackShadow gangs, which look to extort their victims and cause embarrassment, MosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage.

MosesStaff is exploiting known vulnerabilities in Microsoft Exchange Server to achieve initial compromise, CPR noted.

PyDCrypt, which is written in Python, uses the list information to move laterally throughout the network, replicating itself inside the network using available tools like PowerShell, PSExec or WMIC, and installing PSExec, the batch scripts and the main encryption payload on each machine.

CPR researchers did see one of the tools used in the attack, OICe.exe, being submitted to VirusTotal from Palestine a few months before the attacks started.

"MosesStaff has a specific modus operandi of exploiting vulnerabilities in public-facing servers, then using a combination of unique tools and living-off-the-land maneuvers to leave the targeted network encrypted, with encryption used solely for destruction purposes," said CPR researchers.

News URL

https://threatpost.com/mosesstaff-locks-targets-ransom-decryption/176366/

#decryption #ransom