MosesStaff Brings Destructive New Spin To Ransomware

You are currently viewing MosesStaff Brings Destructive New Spin To Ransomware

MosesStaff is a politically motivated, emerging threat which is targeting the state of Israel. According to researchers, the group is hoping to inflict the most damage possible, researchers warned.

Unlike other anti-Zionist hacktivists like the Pay2Key and BlackShadow gangs, which look to extort their victims and cause embarrassment, MosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage. That’s according to Check Point Research (CPR), which began observing MosesStaff activity in September.

MosesStaff also keeps an active social media presence and is pushing provocative messages and videos across its accounts to make its intentions known.

“In the language of the attackers, their purpose is to ‘fight against the resistance and expose the crimes of the Zionists in the occupied territories,’” researchers explained in a Monday post. “There is no ransom demand and no decryption option; their motives are purely political.”

MosesStaff is one of the first major ransomware outfits which has no ransom demand and offers no option for victims to decrypt.

MosesStaff exploits known vulnerabilites in Exchange Servers to achieve the initial foothold, CPR stated. The attackers then open an obfuscated, password-protected webshell to carry out its attack.

Using this access, the threat actors go on to deploy several additional tools, according to the analysis:

Multiple batch scripts that can enable SMB share or disable the Windows firewall on specific remote machines;
A copy of PsExec, a portable tool from Microsoft that allows running processes remotely with any user’s credentials;
OICe.exe, a small Go executable for executing commands. It might be used on the compromised server in the early steps of the attack to avoid executing suspicious child processes like cmd or PowerShell.

In the next step, MosesStaff collects information on connected machines in the network. CPR stated this is to compile a custom, environment-specific malware called PyDCrypt – a precursor to the main payload, which, it turns out, uses a flawed encryption mechanism.

PyDCrypt, which is written in Python, uses the list information to move laterally throughout the network, replicating itself inside the network using available tools like PowerShell, PSExec or WMIC, and installing PSExec, the batch scripts and the main encryption payload on each machine.

The primary encryption payload is another custom malware named DCSrv. It hides itself as a legitimate svchost.exe process and is focused on encrypting all computer volumes. It uses a three-part execution flow consisting of driver installation, volume encryption and boot loader installation.

“When the malware finishes installing the driver, it performs a reboot after a few minutes to make the driver operational,” CPR analysts explained. “On the second run, the malware waits for the exact time given in the configuration before it detonates its encryption mechanism. This is yet another proof that the payloads are targeted and created per victim.”

This core encryption mechanism is based on the DiskCryptor open-source library, “to perform volume encryption and lock the victims’ computers with a bootloader that won’t allow the machines to boot without the correct password,” according to the writeup.

Fortunately, CPR found that decryption is currently possible.

“The most notorious ransomware gangs (e.g. Conti, REvil, Lockbit etc.), almost without exception, always ensure that their encryption system is well-designed and unassailable,” researchers said. “For whatever reasons, including non-financial motivation, lack of experience with ransomware or amateur coding skills, the MosesStaff group didn’t make as much of an effort.”

And indeed, CPR uncovered two options to potentially reverse the encryption, as detailed in the posting:

The first and foremost option is to look at the endpoint detection and response (EDR) product logs if they were installed in the environment. A properly designed EDR records all process creations, together with their command line parameters, which are the keys in our case.
The second option is to extract and reverse the PyDCrypt malware which attacked the victim in the first place. This method is a little trickier due to the code deleting itself after finishing running. From the PyDCrypt sample, we can extract the crafted hashing function which generates the keys per computer.
From there, it’s possible to plug these extracted keys into the boot login screen, unlocking the computer and restoring access to the operating system.

“They made an outright mistake when they put together their own encryption scheme, which is honestly a surprise in today’s landscape where every two-bit cybercriminal seems to know at least the basics of how to put together functioning ransomware,” according to CPR.

That said, “the disks remain encrypted and the DiskCryptor boot loader is active on every restart,” according to CPR. “This can be solved by creating a simple program that initiates proper IOCTL to the DiskCryptor driver, and eventually, removes it from the system.”

Protection From MosesStaff

Attacks like the Conti Ransomware campaign show that cyberattacks are increasing at an exponential rate, and both government and business leaders are underprepared to face the fallout of an attack. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply