Iranian group Agrius deploys new Moneybird ransomware on Israeli servers

security researchers from check point discovered that the Iranian group Agrius uses a new type of ransomware called moneybird in their attacks on Israeli organizations.

Agrius (Pink Sandstorm, Americium) is known for its devastating attacks on Israel in which hackers pretend to encrypt files for ransom, but actually destroy them . Microsoft attributes the attacker to the Iranian Ministry of Intelligence and Security (MOIS), which also runs the MuddyWater group, which has been active since 2020.

The chain of infection begins with the exploitation of vulnerabilities on web servers available on the Internet, which leads to the deployment of a web shell called ASPXSpy.

In the subsequent stages of the attack, the web shell is used as a conduit to deliver tools for reconnaissance of the victim’s environment, lateral movement, credential gathering, and confidential data theft.

The compromised host also runs Moneybird ransomware, which is designed to encrypt sensitive files in the F:\User Shares folder and place a ransom note.

Agrius is not the only Iranian group involved in cyber operations against Israel. Recently, the Israeli information security company ClearSky reported that several Israeli sites in the field of logistics and delivery were hacked to collect information about their users . ClearSky experts attributed the attacks to an Iranian group “with a low degree of certainty” Tortoise shell (TA456, Imperial Kitten), which has been active since July 2018.

But Israel itself is not as white and fluffy as it might seem. Earlier it became known that the Israeli hacker group is running a massive campaign on compromise of corporate e-mail (BEC attack). The main targets of the attacks are large and international companies with an annual income of more than $10 billion.