DCSrv

DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.^[1]

ID: S1033

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India

Version: 1.0

Created: 11 August 2022

Last Modified: 24 October 2022

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	DCSrv has created new services for persistence by modifying the Registry.^[1]
Enterprise	T1486		Data Encrypted for Impact	DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.^[1]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	DCSrv has masqueraded its service as a legitimate svchost.exe process.^[1]
Enterprise	T1112		Modify Registry	DCSrv has created Registry keys for persistence.^[1]
Enterprise	T1106		Native API	DCSrv has used various Windows API functions, including `DeviceIoControl`, as part of its encryption process.^[1]
Enterprise	T1027		Obfuscated Files or Information	DCSrv's configuration is encrypted.^[1]
Enterprise	T1529		System Shutdown/Reboot	DCSrv has a function to sleep for two hours before rebooting the system.^[1]
Enterprise	T1124		System Time Discovery	DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.^[1]

Groups That Use This Software

ID	Name	References
G1009	Moses Staff	^[1]

References

Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.

DCSrv

Enterprise Layer

Techniques Used

Groups That Use This Software

References