ioc[.]one - OSINT Cyber Threat Intelligence Database

Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months | FortiGuard Labs

Tags

cmtmf-attack-pattern:

Application Layer Protocol Command And Scripting Interpreter Exploit Public-Facing Application Process Injection Scheduled Task/Job

attack-pattern:

Data Application Layer Protocol - T1437 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data From Local System - T1533 Domains - T1583.001 Domains - T1584.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Execution Guardrails - T1480 Execution Guardrails - T1627 Exfiltration Over C2 Channel - T1646 Exploit Public-Facing Application - T1377 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 Ip Addresses - T1590.005 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Parent Pid Spoofing - T1134.004 Parent Pid Spoofing - T1502 Process Injection - T1631 Python - T1059.006 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Service Execution - T1569.002 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 System Services - T1569 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Web Shell - T1505.003 Tool - T1588.002 Vulnerabilities - T1588.006 Access Token Manipulation - T1134 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Credential Dumping - T1003 Data From Local System - T1005 Deobfuscate/Decode Files Or Information - T1140 Email Collection - T1114 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Fallback Channels - T1008 File And Directory Discovery - T1083 Process Injection - T1055 Scheduled Task - T1053 Screen Capture - T1113 Service Execution - T1035 System Information Discovery - T1082 System Owner/User Discovery - T1033 Web Shell - T1100 Exploit Public-Facing Application Screen Capture

Show in Graph

Common Information

Type	Value
UUID	ba6a8e7e-bb76-4e00-84e2-eee5cf158fa0
Fingerprint	b7999551043cae93
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 15, 2022, midnight
Added to db	Sept. 11, 2022, 12:42 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months
Title	Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months \| FortiGuard Labs
Detected Hints/Tags/Attributes	131/2/48

Source URLs

	Redirection	Url
Details	Source	https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard

URL Provider

Details	Provider	Source level domain
Details	fortinet.com	www.fortinet.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	techzenspace.com
Details	File	2	iispool.aspx
Details	File	1	map.aspx
Details	File	478	lsass.exe
Details	File	1	c:\windows\system32\drvguard.exe
Details	File	1	c:\windows\system32\rsc.dat
Details	File	1	c:\windows\system32\broker.exe
Details	File	1	rsc.dat
Details	File	1122	svchost.exe
Details	File	2	lic.dll
Details	File	1	inj.dll
Details	File	1	c:\users\public\libraries\cfg.dat
Details	File	1	ar.dll
Details	File	1	ar.dat
Details	File	1	c:\users\public\libraries\tmp.bin
Details	File	2	c:\users\public\libraries\async.dat
Details	File	1	agent.avs
Details	File	2	agent4.exe
Details	File	312	calc.exe
Details	File	2	drvguard.exe
Details	File	4	index3.php
Details	File	2	index8.php
Details	sha256	1	2ac7df27bbb911f8aa52efcf67c5dc0e869fcd31ff79e86b6bd72063992ea8ad
Details	sha256	1	ff15558085d30f38bc6fd915ab3386b59ee5bb655cbccbeb75d021fdd1fde3ac
Details	sha256	1	cafa8038ea7e46860c805da5c8c1aa38da070fa7d540f4b41d5e7391aa9a8079
Details	IPv4	2	87.120.8.210
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	104	T1505.003
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	173	T1003.001
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	89	T1114
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	48	T1480
Details	MITRE ATT&CK Techniques	4	T1134.004
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	41	T1008
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	422	T1041
Details	Url	1	http://87.120.8.210:80/rvp/index3.php
Details	Url	1	http://techzenspace.com:80/rvp/index8.php