New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now
Come meet us at Black Hat USA 2025 | Booth 1640
Book a Meeting

Moses Staff Campaigns Against Israeli Organizations

February 21, 2022

The initial infiltration was accomplished by leveraging the ProxyShell exploit in Microsoft Exchange servers to allow an unauthenticated attacker to execute arbitrary commands on them through an exposed HTTPS port. As a result, the attackers were able to deploy two web shells: C:/inetpub/wwwroot/aspnet_client/system_web/iispool.aspx C:/inetpub/wwwroot/aspnet_client/system_web/map.aspx These two web shells are used in conjunction with one another, and some of their functionalities overlap. On numerous occasions, map.aspx was used to validate the results of the commands executed by iispool.aspx. Post infection, the attackers dedicated several days to the exfiltration of PST files and other sensitive data from the compromised server. Next, they attempted to steal credentials by creating a memory dump of lsass.exe using a LOLBin. Finally, the attackers dropped and installed the backdoor components.