Moneybird Ransomware Used in Attacks on Israeli Entities

Agrius, an Iranian hacking group also known as Pink Sandstorm and formerly Americium, has developed a new type of ransomware called Moneybird. CheckPoint researchers discovered this dangerous malware, which signifies a significant change in Agrius' tactics as they now target Israeli organizations.

Agrius has a history of carrying out destructive data-wiping attacks on Israeli entities, often disguising them as ransomware infections. The development of Moneybird, programmed in C++, showcases the group's expanding skills and ongoing commitment to creating fresh cyber tools.

Since at least December 2020, Agrius has been traced back to disrupting intrusions aimed at diamond industries in South Africa, Israel, and Hong Kong. In the past, the group utilized a .NET-based ransomware called Apostle, which later evolved into Fantasy. However, Moneybird, coded in C++, demonstrates the group's evolving cyber capabilities.

Moneybird - Propagation and Activity

The Moneybird ransomware operation demonstrates Agrius' increasing technical expertise and dedication to developing new cyber tools. It employs a sophisticated attack methodology that begins by exploiting vulnerabilities in publicly exposed web servers. This initial exploitation allows the deployment of an ASPXSpy web shell, which serves as the first entry point into the targeted organization's network.

Once inside, the web shell acts as a communication channel to deliver a set of well-known tools designed for in-depth reconnaissance, lateral movement, credential harvesting, and exfiltration of sensitive data within the victim's environment.

Subsequently, Moneybird ransomware is deployed on the compromised host and specifically targets sensitive files in the "F:\User Shares" folder. Upon execution, the ransomware leaves behind a ransom note, pressuring victims to make contact within 24 hours or risk their stolen data being publicly leaked.

Moneybird utilizes AES-256 with GCM for encryption, employing a sophisticated technique that generates unique encryption keys for each file. Encrypted metadata is appended at the end of each file, making data restoration and decryption highly challenging, if not impossible, in most cases.

What are Advanced Persistent Threat Actors or APTs?

Advanced Persistent Threat Actors (APTs) are sophisticated and highly skilled threat actors or hacking groups that conduct long-term, targeted cyber attacks against specific organizations, often with the backing of nation-states or well-resourced entities. APTs are characterized by their advanced techniques, persistence, and intent to infiltrate and compromise targeted systems for extended periods, often remaining undetected.

Here are some key characteristics and traits associated with APTs:

• Advanced Techniques: APT actors employ advanced hacking techniques, including zero-day exploits, custom malware, rootkits, and sophisticated social engineering tactics. They constantly evolve their methods to bypass security measures and maintain their access.
• Persistence: APTs are committed to achieving their objectives and maintain long-term presence within compromised systems. They may establish multiple points of entry, create backdoors, and utilize stealthy communication channels to maintain persistence.
• Targeted Attacks: APTs focus on specific targets, such as government agencies, defense contractors, critical infrastructure, research institutions, or multinational corporations. They conduct thorough reconnaissance to gather intelligence and tailor their attacks to exploit specific vulnerabilities within the target's infrastructure.
• Nation-State Backing: APTs are often associated with nation-states or state-sponsored entities seeking political, economic, or military advantages. They may have substantial resources, intelligence capabilities, and legal protections, allowing them to carry out extensive and prolonged campaigns.
• Data Exfiltration: A primary objective of APTs is to exfiltrate valuable data, including intellectual property, trade secrets, classified information, or personal identifiable information (PII). The stolen data can be exploited for espionage, economic gain, competitive advantage, or future cyber operations.
• Covert Operations: APTs prioritize maintaining a low profile and avoiding detection. They employ sophisticated evasion techniques, such as anti-forensic measures, encryption, and obfuscation to hide their activities and evade security systems.

Examples of well-known APT groups include APT29 (also known as Cozy Bear or The Dukes), APT28 (also known as Fancy Bear or Sofacy), Equation Group, Comment Crew, and Lazarus Group.