Iranian Hackers Deploy New Ransomware Against Israeli FirmsResearchers Discover Moneybird Ransomware Strain, Warn of Growing Sophistication
Security researchers have discovered an Iran-linked APT group carrying out a new chain of ransomware attacks using a new strain of malware against Israeli organizations.
See Also: Expel Quarterly Threat Report
Researchers at Check Point found a ransomware strain called Moneybird that is reminiscent of the Iranian Agrius group's previous campaigns.
Agrius gained notoriety for targeting Israel-based entities with wiper variants, masking the intrusions as ransomware attacks to confuse defenders.
According to Check Point investigators, the new Moneybird strain is an upgrade to previous Agrius attacks that used its custom-built Apostle wiper malware. The upgrade is indicative of the group's relentless expansion efforts. "The use of a new ransomware written in C++ is noteworthy as it demonstrates the group's expanding capabilities and ongoing effort in developing new tools," Check Point said.
The latest attack involves web shells positioned on vulnerable servers using known VPN service nodes, which are used as the entry point. Following the deployment of web shells, the threat actor used several publicly available tools to move laterally through the affected system.
The malicious files are then downloaded for ransomware execution and data exfiltration activities through some common services.
Other tools are also deployed for similar intentions, such as reconnaissance, lateral movement and data theft and credential harvesting. These tools include:
- SoftPerfect Network Scanner to scan for internal networks;
- Plink to tunnel traffic from a VPS owned by the attacker;
- ProcDump to dump LSASS and harvest credentials;
- FileZilla to extract compressed files.
Check Point researchers said the bad actors mostly performed manual attacks using Remote Desktop Protocol, a secure network communication protocol offered by Microsoft. Several payloads seemed to have downloaded by opening a browser and connecting to legitimate file-sharing services that hosted the payloads, one of which was the executable file for Moneybird.
The threat lacks any command-line parsing capability but instead includes a configuration file blob embedded within the tool itself, making it less suitable for mass campaigns with a variety of different IT environments.