Iran-linked hackers Agrius deploying new ransomware against Israeli orgs
An Iran-linked advanced persistent threat group is using new ransomware while targeting a familiar adversary in the Middle East, researchers have found.
Check Point’s Incident Response Team investigated the deployment of the ransomware against Israeli organizations and claimed by a group dubbing itself Moneybird. Researchers found that it bore the hallmarks of Agrius, a hacker group that has been around since 2020 and has attempted to disguise itself with aliases like BlackShadow.
The group is known for having targeted the Israeli insurance company Shirbit with ransomware in late 2020 and Bar-Ilan University in 2021, and for deploying wiper attacks.
According to Check Point investigators, Moneybird is a new product for the group. Most of its previous attacks have been carried out with ransomware called Apostle.
“The use of a new ransomware, written in C++, is noteworthy,” they wrote, “as it demonstrates the group’s expanding capabilities and ongoing effort in developing new tools.”
The researchers did not elaborate on the sort of organizations targeted but said, despite the new payload, the techniques used bore the stamp of Agrius.
A ransom note from Moneybird. Credit: Check Point
As in previous attacks, the threat actors gained entry via public-facing web servers and the deployment of “unique variants of ASPXSPY” — a malicious script they hid inside “Certificate” text files.
They then moved laterally within networks, conducting reconnaissance and exfiltrating data. The group uses “targeted paths” that program the ransomware to disregard most files on a targeted network, Check Point said.
“Moneybird, like many other ransomware, is a grim reminder of the importance of good network hygiene, as significant parts of the activity could have been prevented early on,” the researchers said.
A recent report from Microsoft Threat Intelligence found that the Iranian government is increasingly focused on combining influence operations with cyberattacks. They linked 24 “cyber-enabled operations” to the Iranian government last year, compared to seven the year before, and found a corresponding decline in the sorts of ransomware and wiper attacks typically deployed by Agrius.
This week, however, cyber intelligence firm ClearSky reported that a suspected Iranian APT group had targeted eight Israeli websites connected to shipping and logistics in watering hole attacks — where specific users are targeted by infecting the sites they commonly visit. ClearSky researchers linked the attacks “with a low confidence” to the Iranian nation-state hacker group Tortoiseshell, also called TA456 and Imperial Kitten.
James Reddick has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.