Check Point Research published a technical investigation on Check Point Research into several MosesStaff incidents targeting Israeli organizations, providing detailed analysis of the group's PyDCrypt loader and DCSrv encryption wiper — tools designed not for financial extortion but for irreversible destruction of victim networks. Unlike Pay2Key and BlackShadow predecessors, MosesStaff makes no ransom demand and offers no decryption option, operating purely on political motivation to damage Israeli organizations and expose what the group terms "Zionist crimes."
Initial Access and Lateral Movement: Exchange Vulnerabilities and LOLBins
Initial access is achieved by exploiting known vulnerabilities in publicly facing infrastructure, primarily Microsoft Exchange servers, followed by dropping a password-protected ASPX web shell to C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx. The shell uses MD5 authentication (hardcoded hash 52a04efc6a0e7facf34dcc36a6d1ce6f — MD5 of "joker123"). Alongside the web shell, attackers upload batch scripts (enabling SMB, disabling Windows Firewall on remote machines), a PsExec copy, and OICe.exe — a small Go executable that runs attacker commands via command-line arguments to avoid spawning suspicious cmd/PowerShell child processes. Lateral movement uses PsExec, WMIC, and PowerShell with harvested administrator credentials, with the victim's domain name, machine names, and credentials hardcoded into each per-victim PyDCrypt build.
PyDCrypt: Per-Victim Compiled Python Loader with Self-Destruct
PyDCrypt is written in Python, compiled with PyInstaller using the --key encryption flag, and executed from C:\Users\Public\csrss.exe. It requires the argument 113 as its first parameter — execution aborts and the binary self-deletes if the argument differs. Its workflow: creates a lock file to prevent multiple instances; XOR+Base64 decodes and drops DCSrv as C:\Users\Public\svchost.exe; decodes and drops a PsExec copy (ps.exe); uses netsh.exe to open SMB (445), NetBIOS (135/138/139), and RPC firewall rules on remote machines; iterates through hardcoded network machines and propagates itself via PowerShell, PsExec, or WMIC; then deletes all dropped artifacts including itself. Encryption keys are generated per-hostname using an MD5-based hash function with salts "Facebook5" and "4Skype4" applied through 10 iterations, producing a 31-character key.
DCSrv: DiskCryptor-Based Volume Wiper with Timed Detonation
DCSrv masquerades as svchost.exe and operates in three phases. In phase one it installs two services: DCUMSrv (persistence for re-execution on startup) and DCDrv (running the embedded DiskCryptor filter driver DCDrv.sys, written to C:\Windows\System32\drivers\DCDrv.sys). The driver carries a valid signature bypassing Driver Signature Enforcement. Phase two encrypts all volumes (C: through Z:) simultaneously using multithreaded IOCTL calls (DC_CTL_ENCRYPT_START / DC_CTL_ENCRYPT_STEP) with AES (CF_AES mode) at a configurable detonation time hardcoded per victim — further evidence of targeted compilation. Phase three installs a DiskCryptor-derived bootloader displaying the message "Hacked By https://moses-staff.se ! Join Us in Telegram: https://t.me/moses_staff" via an embedded DLL exporting IsEFI and InstallLoader functions.
Encryption Flaw: Potential Reversibility via EDR Logs or PyDCrypt Extraction
Unlike professional ransomware groups using hybrid asymmetric/symmetric encryption, MosesStaff's scheme relies on a symmetric key passed as a command-line parameter — logged by EDR solutions recording process creation events. Recovery is possible by extracting the key from EDR process creation logs or by reverse engineering the PyDCrypt sample (before self-deletion) to reconstruct the per-hostname MD5-salt key derivation function. Once the key is obtained it can be entered at the DiskCryptor bootloader prompt to restore OS access, after which a custom program sending appropriate IOCTLs to the DiskCryptor driver can remove the encryption.