StrifeWater: Unmasking the New RAT Deployed by Iranian APT Moses Staff
- Actor Motivations: Espionage,Sabotage
- Attack Vectors: Ransomware,RAT
- Attack Complexity: High
- Threat Risk: High Impact/Low Probability
Threat Overview
The Iranian APT group Moses Staff deployed a new, previously undocumented Remote Access Trojan (RAT) called StrifeWater for its cyber-espionage and disruption operations. The StrifeWater RAT has been used in initial attack stages, demonstrating various capabilities like listing system files, executing system commands, creating persistence, and downloading updates. Post-infection, it's replaced with ransomware not for financial gain but to disrupt operations and inflict system damage. Victims of these attacks span globally across countries like Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Financial | Verified |
| Sector | Manufacturing | Verified |
| Sector | Energy | Verified |
| Sector | Political | Verified |
| Sector | Tourism | Verified |
| Region | Chile | Verified |
| Region | Germany | Verified |
| Region | India | Verified |
| Region | Israel | Verified |
| Region | Italy | Verified |
| Region | Turkey | Verified |
| Region | United Arab Emirates | Verified |
| Region | United States | Verified |
Extracted IOCs
- techzenspace[.]com
- 87[.]120.8.210
- 87[.]120.8.210:80/rvp/index8[.]php
Tip: 3 related IOCs (1 IP, 1 domain, 1 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: Fortinet - February 2022
Detection (two cases): 87[.]120.8.210, techzenspace[.]com
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.