Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months | FortiGuard Labs

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The ProxyShell exploit on Exchange allowed unauthenticated command execution via an exposed HTTPS port. [The initial infiltration was accomplished by leveraging the ProxyShell exploit in Microsoft Exchange servers to allow an unauthenticated attacker to execute arbitrary commands on them through an exposed HTTPS port.]
• [T1505.003] Server Software Component: Web Shell – Web shells iispool.aspx and map.aspx were deployed post-exploitation to access and control the server. [These two web shells are used in conjunction with one another, and some of their functionalities overlap. On numerous occasions, map.aspx was used to validate the results of the commands executed by iispool.aspx.]
• [T1003.001] OS Credential Dumping: LSASS Memory – Attackers dumped LSASS memory to steal credentials. [Next, the attackers dumped LSASS memory using a LOLBin to steal credentials.]
• [T1005] Data from Local System – Exfiltration of PST files and other sensitive data from the compromised server. [Post infection, the attackers dedicated several days to the exfiltration of PST files and other sensitive data from the compromised server.]
• [T1569.002] System Services: Service Execution – The loader installs itself as a service named DriveGuard. [When executed with the “-I” command-line argument, it installs itself as a service named DriveGuard.]
• [T1055] Process Injection – inj.dll uses VirtualAllocEx and SetThreadContext to run shellcode in the target process. [The injection is implemented in inj.dll, which uses VirtualAllocEx and SetThreadContext to run shellcode in the target process.]
• [T1134.004] Access Token Manipulation: Parent PID Spoofing – The loader spoofs the backdoor’s parent process to svchost.exe. [This is achieved via calling CreateProcess and setting the parent process attribute to the first svchost.exe process found in the system.]
• [T1140] Deobfuscate/Decode Files or Information – The backdoor configuration is encrypted (XOR-based) and decrypted with a Python routine. [The encryption scheme used is XOR-based and can be decrypted by the following Python code.]
• [T1573.001] Encrypted Channel: Symmetric Cryptography – The backdoor/config data is encrypted and transmitted over encrypted channels. [The configuration contains two sets of C2 and URI addresses, alongside a time interval, in seconds, that determines the frequency at which to contact the server. A random value between 0 and 2 seconds is added to the interval to cause jitter.]
• [T1008] Fallback Channels – The backdoor switches between two C2 servers if the primary is unresponsive or returns empty data. [The backdoor continually queries the server for commands. In the event of five consecutive unsuccessful queries, the backdoor will switch to contacting the backup server.]
• [T1071.001] Application Layer Protocol: Web Protocols – Commands are delivered over HTTP/S POST to the C2 servers. [The backdoor first sends a POST request to the first configured server. It alternates between contacting the two servers depending on their status…]
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Several commands involve executing command lines (e.g., Execute command line). [The command-line argument “-ser” is used to trigger backdoor execution.]
• [T1041] Exfiltration Over C2 Channel – Data is sent to the C2 server and parsed responses drive actions. [The data field contains information about the infected machine.]
• [T1033] System Owner/User Discovery – The C2 data includes hostname and username, helping attribution. [The token field is comprised of the hostname, username, and an ID.]
• [T1560.001] Obfuscated/Compressed Files (Not explicitly listed, but Deobfuscation is shown) – Backdoor config and communications are obfuscated/encoded. [The data field contains information about the infected machine, encrypted with the same algorithm and key as the configuration file.]