HQ/EMEAFind out how we can help your business
In recent developments, a suspected Iranian state-sponsored threat group that operates under the moniker ‘Agrius’ has stepped up its cybercriminal campaigns directed against organisations in Israel. The group has been seen unleashing a newly discovered ransomware variant dubbed ‘Moneybird.’
Since at least 2021, the Agrius group have been targeting Israeli entities alongside the broader Middle East region. The group employs different aliases in their attacks and executes destructive ones, such as data wipers.
Security researchers note that the new Moneybird ransomware strain servers as yet another strategy deployed in the wild to obfuscate the group’s origins and evade security detection.
Agrius utilises Moneybird ransomware against corporate networks by exploiting public-facing server critical flaws.
The threat group infiltrates corporate networks by capitalising on security vulnerabilities in public-facing servers. After the flaw abuse and gaining an initial foothold in the targeted organisation’s network, Agrius commences its malicious activities.
Subsequently, Agrius cleverly conceal their tracks by utilising Israel-based ProtonVPN nodes as a shield for their operations. This strategic technique allows the malicious actors to deploy ASPXSpy webshells, which is a malicious code variant hiding behind harmless “Certificate” text files. This deceptive tactic has been a recurring element in the threat group’s previous campaigns, allowing them to remain undetected by security researchers and prolong their unauthorised access to compromised networks.
After successfully deploying the webshells in a compromised network, the attackers leverage numerous open-source tools to further their infiltration. Agrius relies on tools like Plink/PuTTY to maintain secure communication channels. Credential stealing is then completed through ProcDump, which heightens the group’s access privileges. For data exfiltration, the group uses an FTP client and FileZilla.
Agrius obtains the Moneybird ransomware from trusted file hosting platforms and deploys it to encrypt specific files using AES-256 encryption with GCM. Each file is assigned a distinct encryption key, and encrypted metadata is appended.
The ransomware selectively targets the “F:\User Shares” shared folder in corporate networks where corporate files are commonly stored, indicating that the ransomware aims to disrupt business operations rather than solely locking down individual computers.
The compromised systems are marked with ransom notes that prompt victims to visit a link within 24 hours to receive instructions for data restoration.
Although Moneybird ransomware is a potent tool for the Agrius gang to disrupt businesses, the potential for ongoing developments poses a significant threat to a wider spectrum of Israeli organisations. These threats amplify the need for heightened cybersecurity measures for companies in the affected region.
