Threat Research

A hack in hand is worth two in the bush

Securonix

Researchers analyze the cyber dimension of the Israel-Hamas conflict, highlighting hacktivist groups Cyber Av3ngers and Moses Staff and their impact on critical infrastructure. The analysis links the October 8 Dorad power station incident to Moses Staff leaks and details tools like PyDCrypt, DCSrv, and StrifeWater, while warning of potential future wiper or ransomware activity. #CyberAv3ngers #MosesStaff #DoradPowerStation #Israel #PyDCrypt #DCSrv #StrifeWater

Keypoints

  • Ongoing Israel-Hamas cyber conflict involves hacker activity alongside traditional warfare, with state-sponsored, hacktivist, and independent actors blended in operations.
  • Observed activities include DDoS, information warfare, and hacktivism campaigns, with warnings of potential wiper or ransomware attacks in the future.
  • On Oct 8, Cyber Av3ngers claimed a hack on the Dorad private power station, including DoS/DDoS evidence, and sources traceable to older Moses Staff leaks.
  • Moses Staff is alleged to be an Iranian actor targeting Israeli companies and other nations, often stealing and publishing sensitive data; Cyber Av3ngers’ claims appear linked to Moses Staff leaks.

MITRE Techniques

  • [T1036] Masquerading – DCSrv is a malicious process masquerading as the legitimate “svchost.exe” process. “DCSrv is a malicious process masquerading as the legitimate “svchost.exe” process.”
  • [T1059] Command and Scripting Interpreter – PyDCrypt is a program written in Python and built with PyInstaller that is used to infect other computers on the network and ensure that the main payload DCSrv is executed properly. “PyDCrypt is a program written in Python and built with PyInstaller that is used to infect other computers on the network and ensure that the main payload DCSrv is executed properly.”
  • [T1113] Screen Capture – StrifeWater has the ability to execute remote commands and capture the screen. “…and capture the screen.”
  • [T1486] Data Encrypted for Impact – The malware encrypts volumes using DiskCryptor. “encrypts all its volumes using the legitimate open-source encryption utility DiskCryptor.”

Indicators of Compromise

  • [File Name] POC-IPC.rar – Archive file in Moses Staff leak data
  • [File Hash] 48220a3a4c72317ae0fbb08e255b8350
  • [File Hash] 4cba27111c5fca7a1ae78566de2df5b3
  • [File Hash] a7704fbccaeb78678a5f94714993567c
  • [File Hash] aa579d5f062f02d9ff76910560bb312c
  • [File Hash] f8c06e955718639ba9ffdd4265965593

Read more: https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint