Iranian hacker group Agrius launches Moneybird ransomware attacks on Israeli entities

The emergence of Moneybird ransomware

The Iranian hacker group known as Agrius, also referred to as Pink Sandstorm and formerly Americium, has developed a new ransomware strain dubbed Moneybird. Discovered by CheckPoint researchers,^[1] this dangerous malware is being used to target Israeli organizations, marking a significant shift in the group's modus operandi.

Agrius has a known history of perpetrating destructive data-wiping attacks against Israeli entities, often masquerading these as ransomware infections. The advent of Moneybird, written in C++, highlights the group's expanding skills and continued dedication towards crafting fresh cyber tools.

The group's activity has been traced back to at least December 2020, when Agrius was involved in disrupting intrusions aimed at diamond industries in South Africa, Israel, and Hong Kong. Previously, the group used a .NET-based wiper-turned-ransomware named Apostle and its successor known as Fantasy. Unlike these predecessors, Moneybird's programming in C++ exhibits the group's evolving cyber capabilities.

Attack methodology and Moneybird's Operation

The operation of the Moneybird ransomware stands as a testament to the Agrius group's ever-growing technical acumen and efforts to develop newer cyber tools. It demonstrates a sophisticated attack methodology that begins by exploiting vulnerabilities in internet-exposed web servers. This exploitation leads to the deployment of an ASPXSpy web shell, marking the first foothold within the targeted organization's network.

Post-infiltration, the web shell acts as a channel to deliver a suite of publicly-known tools tailored to perform in-depth reconnaissance of the victim environment, move laterally, harvest credentials, and exfiltrate sensitive data.

Moneybird ransomware is subsequently launched on the compromised host, designed specifically to encrypt sensitive files within the “F:\User Shares” folder. Once executed, the ransomware drops a ransom note, pressurizing the victims to make contact within a 24-hour window or risk their stolen data being leaked publicly.

For its encryption methodology, Moneybird employs AES-256 with GCM (Galois/Counter Mode). This sophisticated approach generates unique encryption keys for every file and appends encrypted metadata at the end. This precise targeting and advanced encryption make data restoration and file decryption significantly challenging, if not impossible, in most instances.

Expanding threat landscape

Despite Agrius's expansion and refinement of tactics, it remains just one element of a larger, Iranian state-sponsored cyber operation ecosystem. Other groups, such as MuddyWater and Storm-1084 (aka DEV-1084), have also been found deploying ransomware attacks against Israeli organizations. A recent report from Microsoft highlighted this continued and possibly growing, pattern of state-sponsored cyber aggression.^[2]

Simultaneously, recent disclosures from ClearSky indicate an escalation in these cyber threats, with at least eight Israeli websites associated with shipping, logistics, and financial services companies compromised.^[3] These compromises are believed to be a part of a watering hole attack orchestrated by the Iran-linked Tortoiseshell group.

Moreover, Israel's regional managed service providers (MSPs) have also been targeted in a recent phishing campaign designed to initiate supply chain attacks against their downstream customers. This trend, highlighted by Proofpoint,^[4] underscores the escalating threats faced by small and medium-sized businesses from these sophisticated threat groups.

The persistent cyber operations and the emergence of the new Moneybird ransomware underline the importance of good network hygiene and preparedness against evolving cyber threats. As Agrius and its peers continue to escalate their activities, Israeli organizations must remain vigilant and bolster their cyber defenses to mitigate the risks posed by these formidable adversaries.