Threat Research

StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations

Securonix

Cybereason Nocturnus tracks the Iranian APT Moses Staff, which has added a novel Remote Access Trojan named StrifeWater to its ransomware operations and uses it in the initial infection stage. StrifeWater provides capabilities like file listing, shell command execution, screen captures, persistence, and downloadable extensions, with the operation described as politically motivated espionage and disruption.
#StrifeWater #MosesStaff #PyDCrypt #DCSrv #techzenspace

Keypoints

  • Novel Remote Access Trojan StrifeWater is undocumented prior to this report and appears early in Moses Staff’s attack chain.
  • StrifeWater can list system files, execute commands, capture screens, create persistence via a scheduled task, and download additional modules.
  • The RAT is designed to leave the infected environment before the ransomware is deployed to hinder detection.
  • Moses Staff uses ransomware post-exfiltration not for money, but to disrupt operations and obfuscate espionage activity.
  • Victims span multiple countries and sectors, including Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.
  • PyDCrypt variants continue to be used, with indicators of testing (a variant printing “Hello”) and hard-coded environment parameters for each target.

MITRE Techniques

  • [T1053.005] Scheduled Task – Creates persistence via a scheduled task named “MozillaFirefox Default Browser Agent 409046Z0FF4A39CB” (‘The RAT will create persistence using a scheduled task named: ”MozillaFirefox Default Browser Agent 409046Z0FF4A39CB”’).
  • [T1059.003] Command-Line – Executes shell commands using cmd.exe (‘Executing shell commands using cmd.exe’).
  • [T1113] Screen Capture – Takes screen captures (‘Taking screen captures’).
  • [T1083] File and Directory Discovery – Lists system files (‘Listing system files’).
  • [T1036] Masquerading – Masquerades its arsenal as legitimate Windows software (‘masquerade its arsenal as legitimate Windows software’).
  • [T1105] Ingress Tool Transfer – Downloads updates and auxiliary modules (‘Downloading updates and auxiliary modules’).

Indicators of Compromise

  • [IP] 87.120.210 – C2 server/address used by StrifeWater communications.
  • [Domain] techzenspace.com – Hardcoded domain used in C2 infrastructure.
  • [URL] http://87.120.8.210:80/RVP/index8.php – C2 endpoint referenced by StrifeWater.
  • [URL] techzenspace.com/RVP/index3.php – Additional C2 URL observed.
  • [File] C:UsersPubliccalc.exe – StrifeWater deployed under the name calc.exe in a public user folder.
  • [File] C:Userswin8Desktopishdar_win81x64Releasebrokerhost.pdb – Hardcoded PDB string found in PyDCrypt-related activity.
  • [File] calc.exe – Windows Calculator binary used as part of masking/payload behavior.

Read more: https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations