DCSrv

Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.

PyDCrypt is a program written in Python and built with PyInstaller that is used to infect other computers on the network and ensure that the main payload DCSrv is executed properly.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

Agent Tesla can achieve persistence by modifying Registry key entries. Attor's dispatcher can modify the Run registry key. Kimsuky has also modified the registry entry for HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key for persistence with the name WindowsSecurityCheck. PLAINTEE uses reg add to add a Registry Run key for persistence.

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

Agent Tesla can achieve persistence by modifying Registry key entries. Attor's dispatcher can modify the Run registry key. Kimsuky has also modified the registry entry for HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key for persistence with the name WindowsSecurityCheck. PLAINTEE uses reg add to add a Registry Run key for persistence.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").

PyDCrypt is a program written in Python and built with PyInstaller that is used to infect other computers on the network and ensure that the main payload DCSrv is executed properly.

Overall, the leaked data seems to be the result of hacking operations by Moses Staff: the files seem to have been exfiltrated through the use of malware from computers belonging to the targeted organization...

Their main activity is to damage Israeli companies by stealing and publishing sensitive data... The archive was first published by Moses Staff in June 2022, it included leaked data from multiple companies in Israel.

DCSrv blocks all access to the computer and encrypts all its volumes using the legitimate open-source encryption utility DiskCryptor... Since the Moses Staff group is not attempting financial gain, and its main objective is to cause damage, there is usually no way to pay the ransom and decrypt the data.

DCSrv blocks all access to the computer and encrypts all its volumes using the legitimate open-source encryption utility DiskCryptor.

"AcidPour includes functionality to reboot the victim system following wiping actions..."; "AcidRain reboots the target system once the various wiping processes are complete"; "Apostle reboots the victim machine following wiping"; "APT37 ... issue the command shutdown /r /t 1 to reboot a system after wiping its MBR"; "APT38 ... BOOTWRECK ... initiate a system reboot after wiping the victim's MBR"; "Black Basta ... used ShellExecuteA to shut down and restart"; "DarkGate ... used the shutdown command"; "HermeticWiper can initiate a system shutdown"; "NotPetya will reboot the system one hour after infection"; "Shamoon will reboot the infected system once the wiping functionality has been completed"; "WhisperGate can shutdown ... through ... ExitWindowsEx"