{"id":18289,"date":"2022-02-16T06:33:03","date_gmt":"2022-02-16T14:33:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/02\/16\/news-12022\/"},"modified":"2022-02-16T06:33:03","modified_gmt":"2022-02-16T14:33:03","slug":"news-12022","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/16\/news-12022\/","title":{"rendered":"Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Research<\/h2>\n<p><b>Affected Platforms:<\/b> Windows<br \/> <b>Impacted Users:<\/b> Windows Users<br \/> <b>Impact: <\/b>Data theft and execution of additional malicious payloads<br \/> <b>Severity Level: <\/b>Critical <\/p>\n<p>Over the past year, FortiEDR has prevented multiple attacks that attempted to exploit various Microsoft Exchange server vulnerabilities, some of which we have previously <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/more-proxyshell-web-shells-lead-to-zerologon-and-application-impersonation-attacks\">covered<\/a>.<\/p>\n<p>Among these attacks, we identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government. After tracking this campaign for the last several months we found that the group has been using a custom multi-component toolset for the purpose of conducting espionage against its victims.<\/p>\n<p>This campaign exclusively targets Israeli organizations. Close examination reveals that the group has been active for over a year, much earlier than the group\u2019s first official public exposure, managing to stay under the radar with an extremely low detection rate.<\/p>\n<p>In this blog, we will cover the Techniques, Tactics, and Procedures (TTPs) used by Moses Staff and reveal a new backdoor used by them to download files, execute payloads, and exfiltrate data from target networks, along with threat intelligence data on their activities.<\/p>\n<h3>Infection Vector<\/h3>\n<p>The initial infiltration was accomplished by leveraging the <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2021\/8\/17\/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell\" target=\"_blank\">ProxyShell<\/a> exploit in Microsoft Exchange servers to allow an unauthenticated attacker to execute arbitrary commands on them through an exposed HTTPS port. As a result, the attackers were able to deploy two web shells:<\/p>\n<ul>\n<li><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: &quot;Courier New&quot;;\">C:\/inetpub\/wwwroot\/aspnet_client\/system_web\/iispool.aspx<\/span><\/span><\/span><\/li>\n<li><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: &quot;Courier New&quot;;\">C:\/inetpub\/wwwroot\/aspnet_client\/system_web\/map.aspx<\/span><\/span><\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">These two web shells are used in conjunction with one another, and some of their functionalities overlap. On numerous occasions,<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">map.aspx<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">was used to validate the results of the commands executed by<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">iispool.aspx<\/span><span style=\"font-family: Roboto;\">.<\/span><\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">Post infection, the attackers dedicated several days to the exfiltration of PST files and other sensitive data from the compromised server. Next, they attempted to steal credentials by creating a memory dump of<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">lsass.exe<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">using a LOLBin. Finally, the attackers dropped and installed the<\/span> <span style=\"font-family: Arial , Helvetica , sans-serif;\">backdoor components.<\/span><\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image.img.png\/1643830959622\/fig-1.png\" alt=\"Figure 1: Command line for dumping memory for lsass.exe\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Command line for dumping memory for lsass.exe<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>Execution Chain<\/h3>\n<p><span><span><span>The loader resides in <\/span><span style=\"font-family: &quot;Courier New&quot;;\">C:WindowsSystem32drvguard.exe<\/span><span>. When executed with the \u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">-I<\/span><span>\u201d command-line argument, it installs itself as a service named <\/span><span style=\"font-family: &quot;Courier New&quot;;\">DriveGuard<\/span><span>.<\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1230833167.img.png\/1643831017976\/fig2.png\" alt=\"Figure 2: DriveGuard service properties\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: DriveGuard service properties<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The loader is responsible for executing the backdoor component and then monitoring its process, executing it whenever it has stopped. In addition, it launches a watchdog mechanism that ensures its own service is never stopped. The following flow chart illustrates the described process:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1208253379.img.jpeg\/1643928032499\/img3.jpeg\" alt=\"Figure 3: Loading mechanism flow\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Loading mechanism flow<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><span style=\"font-family: Arial , Helvetica , sans-serif;\"><span style=\"font-size: 11.0pt;\">If the backdoor does not exist on the disk, the loader creates it by reading the content of <\/span><\/span><span style=\"font-size: 11.0pt;\"><span style=\"font-family: &quot;Courier New&quot;;\">C:WindowsSystem32rsc.dat<\/span><\/span> <span style=\"font-size: 11.0pt;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">and restoring its DOS header magic value to<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">4D 5A 90<\/span><span style=\"font-family: Roboto;\">. <span style=\"font-family: Arial , Helvetica , sans-serif;\">The valid executable is written to disk at<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">C:WindowsSystem32broker.exe<\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_743028412.img.png\/1643831125779\/img4.png\" alt=\"Figure 4: rsc.dat \u2013 the backdoor without magic bytes in the header\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: rsc.dat \u2013 the backdoor without magic bytes in the header<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The next step is to execute the backdoor. When doing so, the loader attempts to spoof the backdoor\u2019s parent process to be<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">svchost.exe<\/span><span style=\"font-family: Roboto;\">. T<span style=\"font-family: Arial , Helvetica , sans-serif;\">his is achieved via calling<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">CreateProcess<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">and setting the parent process attribute<\/span> (<\/span><span style=\"font-family: &quot;Courier New&quot;;\">PROC_THREAD_ATTRIBUTE_PARENT_PROCESS<\/span><span style=\"font-family: Roboto;\">) <span style=\"font-family: Arial , Helvetica , sans-serif;\">to the first<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">svchost.exe<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">process found in the system. Parent process spoofing may aid in the evasion of security products. Generally, this method may also be used for gaining SYSTEM privileges, but in our case, the loader is already running as a system service. If the spoofing fails, the loader will run the backdoor without it.<\/span><\/span><\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The backdoor is executed with the command-line argument<\/span> \u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">-ser<\/span><span style=\"font-family: Roboto;\">\u201d.<\/span><\/span><\/span><\/p>\n<h5>Service Watchdog<\/h5>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The loader also sets a watchdog to ensure it remains operational. The watchdog module, <\/span><span style=\"font-family: &quot;Courier New&quot;;\">lic.dll<\/span><span style=\"font-family: Roboto;\">, <span style=\"font-family: Arial , Helvetica , sans-serif;\">is injected to a newly spawned<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">lsass.exe<\/span><span style=\"font-family: Arial , Helvetica , sans-serif;\"> process.<\/span><\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The injection is implemented in<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">inj.dll<\/span><span style=\"font-family: Roboto;\">, <span style=\"font-family: Arial , Helvetica , sans-serif;\">which uses<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">VirtualAllocEx<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">and <\/span><\/span><span style=\"font-family: &quot;Courier New&quot;;\">SetThreadContext<\/span> <span style=\"font-family: Arial , Helvetica , sans-serif;\">to run shellcode in the target process. The shellcode loads a DLL and then jumps back to the previous instruction pointer of the thread.<\/span><\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">Subsequently,<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">lic.dll<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">begins to monitor the<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">DriveGuard<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">service, restarting it whenever it has stopped. In addition, it ensures that the<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">DriveGuard<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">service is always configured to start automatically on system startup.<\/span><\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--5 aem-GridColumn--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1939921314.img.png\/1643831223214\/img5.png\" alt=\"Figure 5: The shellcode injected by inj.dll into lsass.exe\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: The shellcode injected by inj.dll into lsass.exe<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h5>Broker Backdoor<\/h5>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The backdoor component oversees receiving and executing commands from the C2 server. It runs only if it receives the command-line argument<\/span> \u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">-ser<\/span><span style=\"font-family: Roboto;\">\u201d. <span style=\"font-family: Arial , Helvetica , sans-serif;\">Otherwise, it triggers a divide-by-zero exception. This is most likely an attempt to thwart dynamic analysis by automatic security products such as sandboxes.<\/span><\/span><\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">To ensure that only one instance of the backdoor is running on the system, it creates an event called<\/span> \u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">Program event\u201d<\/span><span style=\"font-family: Roboto;\">.<\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_612789678.img.png\/1643831352971\/img6.png\" alt=\"Figure 6: Event created by the backdoor\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Event created by the backdoor<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h5>Configuration<\/h5>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The backdoor\u2019s configuration is stored encrypted in a file at<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">C:UsersPublicLibrariescfg.dat<\/span><span style=\"font-family: Roboto;\">. <span style=\"font-family: Arial , Helvetica , sans-serif;\">The encryption scheme used is XOR-based and can be decrypted by the following Python code. The hardcoded key is consistent throughout all the samples in our possession.<\/span><\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">\n<div class=\"text-container\">\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:0in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;'><em><span style=\"font-family:Consolas;color:#67D8EF;\">def<\/span><\/em><span style=\"font-family:Consolas;\">&nbsp;<span style=\"color:#A6E22B;\">decrypt<\/span>(<em><span style=\"color:#FD9622;\">encrypted<\/span><\/em>):<\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:0in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;\">key <span style=\"color:#F92470;\">=<\/span> <span style=\"color:#E7DB60;\">&apos;9c4arSBr32g6IOni&apos;<\/span><\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:0in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;\">result <span style=\"color:#F92470;\">=<\/span> <span style=\"color:#E7DB60;\">&apos;&apos;<\/span><\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:0in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;color:#F92470;\">for&nbsp;<\/span><span style=\"font-family:Consolas;\">i <span style=\"color:#F92470;\">in&nbsp;<\/span><span style=\"color:#67D8EF;\">range<\/span>(<span style=\"color:#67D8EF;\">len<\/span>(encrypted)):<\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;\">key_char <span style=\"color:#F92470;\">=&nbsp;<\/span><span style=\"color:#67D8EF;\">ord<\/span>(key[i<span style=\"color:#F92470;\">%<\/span><span style=\"color:#AC80FF;\">16<\/span>]) <span style=\"color:#F92470;\">+&nbsp;<\/span><span style=\"color:#AC80FF;\">4<\/span><\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;\">enc_char <span style=\"color:#F92470;\">=&nbsp;<\/span>encrypted[i]<\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;\">result_char <span style=\"color:#F92470;\">=&nbsp;<\/span>(key_char <span style=\"color:#F92470;\">^&nbsp;<\/span>enc_char) <span style=\"color:#F92470;\">+&nbsp;<\/span><span style=\"color:#AC80FF;\">4<\/span><\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;\">result <span style=\"color:#F92470;\">+=&nbsp;<\/span><span style=\"color:#67D8EF;\">chr<\/span>(result_char)<\/span><\/p>\n<p style='margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:0in;line-height:125%;font-size:15px;font-family:\"Calibri\",sans-serif;text-indent:.5in;'><span style=\"font-family:Consolas;color:#F92470;\">return&nbsp;<\/span><span style=\"font-family:Consolas;\">result<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">\n<p>Figure 7: Python implementation of the decryption routine for the configuration file<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The decrypted configuration contains two sets of C2 and URI addresses, alongside a time interval, in seconds, that determines the frequency at which to contact the server. A random value between 0 and 2 seconds is added to the interval to cause jitter.<\/p>\n<p>If the configuration file does not exist, the malware uses plaintext configuration values hardcoded in the executable. In our samples, these values are identical to the ones in the configuration file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1719818158.img.png\/1643831480550\/img8.png\" alt=\"Figure 8: Decrypted backdoor configuration\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Decrypted backdoor configuration<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h5>Communicate Your \u201cBoundries\u201d<\/h5>\n<p>The main part of the malware oversees communication with the server, parsing its responses and executing commands. The backdoor first sends a POST request, as can be seen in figure 9, to the first configured server. It alternates between contacting the two servers depending on their status, switching between them when they are unresponsive or return empty replies.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--5\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1793334601.img.png\/1643831544056\/img9.png\" alt=\"Figure 9: HTTP POST request sent by the backdoor to the C2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: HTTP POST request sent by the backdoor to the C2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The request looks like encoded HTML form data that is delimited by a boundary value which appears to contain a misspelled <\/span>&quot;<\/span><span style=\"font-family: &quot;Courier New&quot;;\">BoundrySign<\/span><span style=\"font-family: Roboto;\">&quot; <span style=\"font-family: Arial , Helvetica , sans-serif;\">string.\u00a0<\/span><\/span><\/span><\/span><span style=\"font-size: 14.0px;font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The noteworthy fields in the request are <\/span><\/span><span style=\"font-size: 14.0px;font-family: &quot;Courier New&quot;;\">token<\/span><span style=\"font-size: 14.0px;font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">and <\/span><\/span><span style=\"font-size: 14.0px;font-family: &quot;Courier New&quot;;\">data<\/span> .<\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The <\/span><span style=\"font-family: &quot;Courier New&quot;;\">data<\/span><span style=\"font-family: Arial , Helvetica , sans-serif;\"> field contains information about the infected machine. The machine time zone has been chosen by the attackers for the purpose of regional attribution. This string is encrypted with the same algorithm and key that were used to encrypt the configuration file.<\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1873938321.img.png\/1643831597162\/img10.png\" alt=\"Figure 10: Format of victim information sent to the C2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Format of victim information sent to the C2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">Interestingly, the malware fails to retrieve the correct OS version due to usage of the deprecated<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">GetVersionEx<\/span><span style=\"font-family: Roboto;\"> API, <span style=\"font-family: Arial , Helvetica , sans-serif;\">which causes executables without updated manifests to invariably return the Windows 8 value while actually running on a newer operating system.<\/span><\/span><\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The <\/span><span style=\"font-family: &quot;Courier New&quot;;\">token<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">field is comprised of the hostname, username, and an ID. The hostname and username are encrypted with a ROT5 Caesar cipher, meaning that 5 is added to each character\u2019s ascii value. The encrypted result is then appended to the ID.<\/span><\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1991294814.img.jpeg\/1643831638422\/img11.jpeg\" alt=\"Figure 11: Format of unique identifier sent to the C2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Format of unique identifier sent to the C2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The ID is hardcoded in the binary and is a distinctive identifier of a specific target organization. Namely, backdoor binaries are specially compiled per target before they are deployed by the threat actor.<br \/> The backdoor continually queries the server for commands. In the event of five consecutive unsuccessful queries, the backdoor will switch to contacting the backup server. An unsuccessful query is considered to be one of the following:<\/p>\n<ul>\n<li>The server is unresponsive.<\/li>\n<li>The parsed response starts with the byte 0xA.<\/li>\n<li>The parsed response is empty. <\/li>\n<\/ul>\n<p>The server response is parsed until the first \u201c]\u201d character and everything after is disregarded. If the response lacks a \u201c]\u201d it is treated as an empty response. <\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">If the parsed server response is <\/span>\u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">on<\/span><span style=\"font-family: Roboto;\">\u201d, <span style=\"font-family: Arial , Helvetica , sans-serif;\">the backdoor will continue to query the same server without switching to the backup server. Any other response is treated as a command. As such, it is decrypted with the same algorithm and key as specified previously. If the decrypted response data is<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">self<\/span><span style=\"font-family: Roboto;\">, <span style=\"font-family: Arial , Helvetica , sans-serif;\">the backdoor stops executing. <\/span><\/span><span style=\"font-family: Arial , Helvetica , sans-serif;\">Otherwise, it proceeds to parse the decrypted data as a command with the following format:<\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1521662701.img.png\/1643831807535\/img12.png\" alt=\"Figure 12: Format of commands sent by the C2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Format of commands sent by the C2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul style=\"list-style-type: square;\">\n<li><span style=\"font-size: 14.0px;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">Type \u2013 The command type. This can be one of the values from the \u201cType\u201d column in the Commands table<\/span><\/span><\/li>\n<li><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">Arg1\u2026Arg4 \u2013 The command arguments. Not all arguments are provided for every command, in which case their value will be the string<\/span> \u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">null<\/span><span style=\"font-family: Roboto;\">\u201d.<\/span><\/span><\/span><\/li>\n<li><span style=\"font-size: 14.0px;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">ID \u2013 A unique identifier. This ID is sent to the server alongside the command results to associate the results with the executed command.<\/span><\/span><\/li>\n<\/ul>\n<h4>Supported Commands<\/h4>\n<p>The following is a list of the commands that the backdoor may receive from the server. Several commands involve downloading additional DLLs from the server and executing them. The functionality of these modules is unknown at this time.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--3\">\n<p><i>Figure 13: List of supported commands<\/i><\/p>\n<p>* Command present in the newer versions only<br \/> ** Command present in the older versions only<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>History of Operations<\/b><\/h2>\n<p>Using Yara rules in VirusTotal\u2019s retrohunt engine we detected two older samples of the backdoor. Both samples were uploaded around the end of December 2020, which leads us to believe that this campaign has been operating for at least a year. Until <a href=\"https:\/\/www.cybereason.com\/blog\/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations\" target=\"_blank\">recently<\/a>, they have been flying under the radar with a very low detection rate.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1946741514.img.png\/1643832393548\/img14.png\" alt=\"Figure 14: VirusTotal entries of the older backdoor versions\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: VirusTotal entries of the older backdoor versions<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The most notable differences between the versions are the configuration file and the commands.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">In lieu of a configuration file, the older variants exclusively use values hardcoded in the binary. In terms of commands, a few modifications have taken place in between the versions. As can be seen in figure 13, various new commands have been added to the latest samples, while other commands have been eliminated. Although commands were removed, we assess that the code might have been moved to one of the modules that can be fetched from the server.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">Certain modifications may aim to improve covertness and hinder detection. For example, the older samples were able to receive the \u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">au<\/span><span style=\"font-family: Roboto;\">\u201d <span style=\"font-family: Arial , Helvetica , sans-serif;\">command to register a scheduled task using a command-line that was hardcoded in the binary. On the other hand, in recent attacks, we observed task registration via a scheduled task XML file that was dropped by the backdoor.<\/span><\/span><\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">The last minor difference between versions is the name of the event. Older versions created an event called<\/span> \u201c<\/span><span style=\"font-family: &quot;Courier New&quot;;\">program Event<\/span><span style=\"font-family: Roboto;\">\u201d. <span style=\"font-family: Arial , Helvetica , sans-serif;\">This <\/span><\/span><span style=\"font-family: Arial , Helvetica , sans-serif;\">capitalization error was corrected in the recent versions.<\/span><\/span><\/span><\/p>\n<p><span style=\"font-family: Arial , Helvetica , sans-serif;\">Searching for the C2 addresses in FortiGuard Labs\u2019 threat intelligence systems shows a large spike in traffic volume during April 2021. This indicates that the group was operational long before their initial public exposure. All the network traffic to the malicious servers originated from Israeli IP addresses<\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1675982021.img.png\/1643942799451\/img15.png\" alt=\"Figure 15: FortiGuard Labs&#39; historical data for C2 IP address\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15: FortiGuard Labs&#39; historical data for C2 IP address<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_2081966440.img.png\/1643942930164\/img16.png\" alt=\"Figure 16: FortiGuard Labs\u2019 historical data for C2 domain name\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16: FortiGuard Labs\u2019 historical data for C2 domain name<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">During our investigations, we were able to take over and sinkhole the<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">techzenspace[.]com<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-size: 14.0px;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">domain in the beginning of January 2022. This was done to try and prevent the backdoor from operating for the near future while attempting to identity additional infected organizations that are not Fortinet customers.<\/span><\/span><\/span><\/span><\/span><\/p>\n<h2><b>Attribution<\/b><\/h2>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Roboto;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\">We were able to attribute the<\/span> <\/span><span style=\"font-family: &quot;Courier New&quot;;\">iispool.aspx<\/span><span style=\"font-family: Roboto;\"> <span style=\"font-family: Arial , Helvetica , sans-serif;\">web shell to the <\/span><\/span><span style=\"font-family: Arial , Helvetica , sans-serif;\">Moses Staff group based on <a href=\"https:\/\/research.checkpoint.com\/2021\/mosesstaff-targeting-israeli-companies\/\" style=\"color: rgb(5,99,193);text-decoration: underline;\" target=\"_blank\">past research<\/a>.\u00a0Both the web shell path and its code are identical to the ones previously reported. Another recent publication referenced in the previous section reaffirms our attribution.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14.0px;\"><span style=\"font-family: Arial , Helvetica , sans-serif;\"><\/span><\/span>All victims are Israeli organizations belonging to various industries. Although the attacks we identified did not reach a destructive stage, we can\u2019t rule out the possibility that the backdoor is used before that to exfiltrate data from target networks.<\/p>\n<h2><b>Conclusion<\/b><\/h2>\n<p>We have been monitoring Moses Staff operations closely these past few months. We have analyzed new TTPs and attributed a new set of tools to the group, including a backdoor, a loader and a web shell.<\/p>\n<p>The group is highly motivated, capable, and set on damaging Israeli entities. While they have been operating continuously and vigorously since late 2020, they were only publicly acknowledged about a year after. At this point, they continue to depend on 1-day exploits for their initial intrusion phase.<\/p>\n<p>Although the attacks we identified were carried out for espionage purposes, this does not negate the possibility that the operators will later turn to destructive measures. We believe that ransomware or wipers may have not been deployed because FortiEDR blocked earlier stages of the attack.<\/p>\n<h2><b>Fortinet Protections<\/b><\/h2>\n<p>FortiEDR detects and blocks these threats out-of-the-box without any prior knowledge or special configuration. It does this using its post-execution prevention engine to identify malicious activities:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_1023791573.img.png\/1643832631423\/fig17.png\" alt=\"Figure 17: FortiEDR blocking the memory dumping attempt of lsass.exe\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17: FortiEDR blocking the memory dumping attempt of lsass.exe<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image_2110963258.img.png\/1643832645233\/img18.png\" alt=\"Figure 18: FortiEDR blocking the backdoor communication\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18: FortiEDR blocking the backdoor communication<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>All network IOCs have been added to the FortiGuard WebFiltering blocklist.<\/p>\n<p>The FortiGuard AntiVirus service engine is included in Fortinet\u2019s\u00a0FortiGate,\u00a0FortiMail,\u00a0FortiClient, and\u00a0FortiEDR\u00a0solutions. FortiGuard AntiVirus\u00a0has coverage in place as follows:<\/p>\n<p style=\"margin-left: 40.0px;\">ASP\/Webshell.DW!tr<br \/> W64\/Agent.AVV!tr<br \/> W32\/Agent.UWN!tr<br \/> W32\/Agent.UYS!tr<br \/> W64\/Agent.AVS!tr<br \/> W64\/Agent.AVU!tr<\/p>\n<p>In addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time with other Alliance members to help create better protections for customers.<\/p>\n<h2>Appendix A \u2013 MITRE ATT&amp;CK Techniques<\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--3\">\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"624\">\n<tbody>\n<tr>\n<td width=\"187\" valign=\"top\">\n<h4 style=\"text-align: center;\"><u>ID<\/u><\/h4>\n<\/td>\n<td width=\"437\" valign=\"top\">\n<h4 style=\"text-align: center;\"><u>Description<\/u><\/h4>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1190<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Exploit Public-Facing Application<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1505.003<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Server Software Component:\u00a0Web Shell<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1083<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">File and Directory Discovery<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1003.001<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">OS Credential Dumping:\u00a0LSASS Memory<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1005<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Data from Local System<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1114<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Email Collection<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1569.002<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">System Services:\u00a0Service Execution<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1480<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Execution Guardrails<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1134.004<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Access Token Manipulation:\u00a0Parent PID Spoofing<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1055<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Process Injection<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1140<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Deobfuscate\/Decode Files or Information<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1071.001<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Application Layer Protocol: Web Protocols<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1082<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">System Information Discovery<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1033<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">System Owner\/User Discovery<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1573.001<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Encrypted Channel:\u00a0Symmetric Cryptography<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1008<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Fallback Channels<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1059.003<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Command and Scripting Interpreter:\u00a0Windows Command Shell<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">\u00a0T1113<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Screen Capture<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1053.005<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Scheduled Task\/Job: Scheduled Task<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">\n<p style=\"text-align: center;\">T1041<\/p>\n<\/td>\n<td width=\"437\">\n<p style=\"text-align: center;\">Exfiltration Over C2 Channel<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Appendix B: IOCs<\/h2>\n<p><b><br \/> File Hashes (SHA256)<br \/>  <\/b>2ac7df27bbb911f8aa52efcf67c5dc0e869fcd31ff79e86b6bd72063992ea8ad (map.aspx)<br \/> ff15558085d30f38bc6fd915ab3386b59ee5bb655cbccbeb75d021fdd1fde3ac (agent4.exe)<br \/> cafa8038ea7e46860c805da5c8c1aa38da070fa7d540f4b41d5e7391aa9a8079 (calc.exe)<b><br \/> <\/b><\/p>\n<p><b>File Names<br \/>  <\/b>iispool.aspx<br \/> map.aspx<br \/> drvguard.exe<br \/> agent4.exe<br \/> calc.exe<br \/> inj.dll<br \/> lic.dll <\/p>\n<p><b>Event Names<\/b><br \/> program Event<br \/> Program event<\/p>\n<p><b>IPs<\/b><br \/> 87.120.8[.]210<\/p>\n<p><b>Domains<\/b><br \/> techzenspace[.]com<\/p>\n<p><b>URLs<\/b><br \/> hxxp:\/\/87.120.8.210:80\/RVP\/index3.php<br \/> hxxp:\/\/techzenspace.com:80\/RVP\/index8.php<\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\"><i>portfolio<\/i><\/a><i>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/guard-your-drive-from-driveguard\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/guard-your-drive-from-driveguard\/_jcr_content\/root\/responsivegrid\/image.img.png\/1643830959622\/fig-1.png\"\/><br \/>FortiGuard Labs identified a new campaign operated by threat actor Moses Staff. Read our blog to learn the TTPs used and about a new backdoor used to download files, execute payloads, and exfiltrate data from target networks.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18289","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18289"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18289\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}