The Agrius threat group has been observed using a new ransomware strain named Moneybird against Israeli entities. The group is, however, known for performing destructive data-wiping attacks in the guise of ransomware infections in Israel. Microsoft has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS), which operates the MuddyWater group.
Agrius, also known as Pink Sandstorm or Americium, has been active for almost two years and is known for developing .NET-based malware, such as Apostle. However, the Moneybird ransomware has been developed in C++.
Moneybird's attack campaign
The infection sequence commences by exploiting vulnerabilities in internet-exposed web servers, followed by the deployment of a web shell identified as ASPXSpy.
Moneybird ransomware encrypts important files in the F:\User Shares folder and drops a ransom note advising the organization to make contact within 24 hours or their stolen information will be leaked.
For exploitation and post-exploitation tasks, the attackers use public VPN service nodes, mostly the ProtonVPN nodes, based in Israel.
Post-infection steps
Post data encryption, the attackers use a web shell to deliver publicly-known tools, including Plink, FileZilla, ProcDump, and SoftPerfect Network Scanner, for reconnaissance, lateral movement, credential harvesting, and data exfiltration.
To download some of the payloads, the threat actor opens a browser and connects with genuine file-sharing services. Most of these activities are performed manually by the threat actors via RDP.
Previous campaign
In December 2022, the threat actor was linked to a set of attempted disruptive intrusions. These intrusions were aimed at diamond industries located in Israel, Hong Kong, and South Africa.
These attacks used a DotNET-based wiper-turned-ransomware known as Apostle and its successor known as Fantasy.
Conclusion
The use of multiple ready-to-use toolsets, along with the custom-built Moneybird ransomware, indicates that Agrius actors are quite skillful and take a keen interest in expanding their arsenal regularly. Therefore, to stay protected, organizations are urged to follow good data security practices, such as frequent backup of important data and the use of reliable data encryption and masking tools.