A politically motivated hacker group tied to a sequence of espionage and sabotage assaults on Israeli entities in 2021 included a beforehand undocumented distant entry trojan (RAT) that masquerades because the Home windows Calculator app as a part of a acutely aware effort to remain beneath the radar.
Cybersecurity firm Cybereason, which has been monitoring the operations of the Iranian actor referred to as Moses Workers, dubbed the malware “StrifeWater.”
“The StrifeWater RAT seems for use within the preliminary stage of the assault and this stealthy RAT has the power to take away itself from the system to cowl the Iranian group’s tracks,” Tom Fakterman, Cybereason safety analyst, stated in a report. “The RAT possesses different capabilities, akin to command execution and display capturing, in addition to the power to obtain extra extensions.”
Moses Workers got here to mild in direction of the tip of final 12 months when Test Level Analysis unmasked a sequence of assaults geared toward Israeli organizations since September 2021 with the target of disrupting the goal’s enterprise operations by encrypting their networks, with no choice to regain entry or negotiate a ransom.
The intrusions had been notable for the truth that they relied on the open-source library DiskCryptor to carry out quantity encryption, along with infecting the methods with a bootloader that forestalls them from beginning with out the proper encryption key.
Up to now, victims have been reported past Israel, together with Italy, India, Germany, Chile, Turkey, the U.A.E., and the U.S.
The brand new piece of the assault puzzle found by Cybereason comes within the type of a RAT that is deployed beneath the identify “calc.exe” (the Home windows Calculator binary) and is used in the course of the early levels of the an infection chain, solely to be eliminated previous to the deployment of the file-encrypting malware.
The removing and the next substitute of the malicious calculator executable with the legit binary, the researchers suspect, is an try on the a part of the risk actor to cowl up tracks and erase proof of the trojan, to not point out allow them to evade detection till the ultimate part of the assault when the ransomware payload is executed.
StrifeWater, for its half, isn’t any completely different from its counterparts and comes with quite a few options, chief amongst them being the power to record system information, execute system instructions, take display captures, create persistence, and obtain updates and auxiliary modules.
“The tip aim for Moses Workers seems to be extra politically motivated somewhat than monetary,” Fakterman concluded. “Moses Workers employs ransomware post-exfiltration not for monetary achieve, however to disrupt operations, obfuscate espionage exercise, and to inflict injury to methods to advance Iran’s geopolitical targets.”