← threatfilter.dev / all groups / Moses Staff
Moses Staff
Also known as: DEV-0500 · Marigold Sandstorm
Overview
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand. Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 12 techniques across 8 tactics
Initial Access
Persistence
-
T1505.003Web Shell
Stealth
-
T1027.013Encrypted/Encoded File
Defense Impairment
-
T1553.002Code Signing -
T1686.003Windows Host Firewall
Discovery
-
T1016System Network Configuration Discovery -
T1082System Information Discovery -
T1087.001Local Account
Lateral Movement
-
T1021.002SMB/Windows Admin Shares
Command and Control
-
T1105Ingress Tool Transfer
Tools & malware (4)
PyDCrypt · PsExec · DCSrv · StrifeWater
Reporting (3)
- How Microsoft names threat actors — Microsoft
- StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations — Cybereason Nocturnus
- Uncovering MosesStaff techniques: Ideology over Money — Checkpoint Research