Last Updated on 03/02/2022 by Nidhi Khandelwal
A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar.
Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware “StrifeWater.”
“The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks,” Tom Fakterman, Cybereason security analyst, said in a report. “The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.
Check Point Research unmasked a series of attacks aimed at Israeli organizations since September 2021 with the goal of disrupting the target’s business operations by encrypting their networks, with no option to regain access or negotiate a ransom, bringing Moses Staff to light towards the end of last year.
The breaches were notable for encrypting volumes using the open-source library DiskCryptor, as well as infecting the computers with a bootloader that stops them from starting without the necessary encryption key.
Italy, India, Germany, Chile, Turkey, the United Arab Emirates, and the United States have all reported victims so far.