Security News > 2022 > February > Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks
A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar.
"The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group's tracks," Tom Fakterman, Cybereason security analyst, said in a report.
Moses Staff came to light towards the end of last year when Check Point Research unmasked a series of attacks aimed at Israeli organizations since September 2021 with the objective of disrupting the target's business operations by encrypting their networks, with no option to regain access or negotiate a ransom.
To date, victims have been reported beyond Israel, including Italy, India, Germany, Chile, Turkey, the U.A.E., and the U.S. The new piece of the attack puzzle discovered by Cybereason comes in the form of a RAT that's deployed under the name "Calc.exe" and is used during the early stages of the infection chain, only to be removed prior to the deployment of the file-encrypting malware.
"The end goal for Moses Staff appears to be more politically motivated rather than financial," Fakterman concluded.
"Moses Staff employs ransomware post-exfiltration not for financial gain, but to disrupt operations, obfuscate espionage activity, and to inflict damage to systems to advance Iran's geopolitical goals."
News URL
https://thehackernews.com/2022/02/hacker-group-moses-staff-using-new.html
Related news
- North Korean govt hackers linked to Play ransomware attack (source)
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean hackers pave the way for Play ransomware (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)