A new ransomware variant called "Moneybird" is currently being used by the threat actor "Agrius," which is thought to be funded by the Iranian government, to target Israeli organisations.
Since at least 2021, Agrius has been using various identities to deliberately target organisations in Israel and the Middle East while using data wipers in disruptive attacks.
Researchers from Check Point who found the new ransomware strain believe that Agrius created it to aid in the growth of their activities, and that the threat group's use of "Moneybird" is just another effort to hide their footprints.
Modus operandi
According to Check Point researchers, threat actors first acquire access to company networks by taking advantage of flaws in servers that are visible to the public, giving Agrius its first network footing.
The hackers then conceal themselves behind Israeli ProtonVPN nodes to launch ASPXSpy webshell variations concealed inside "Certificate" text files, a strategy Agrius has employed in the past.
After deploying the webshells, the attackers employ open-source tools to move laterally, communicate securely using Plink/PuTTY, steal credentials using ProcDump, and exfiltrate data using FileZilla. These tools include SoftPerfect Network Scanner, Plink/PuTTY, ProcDump, and ProcDump.
The Moneybird ransomware executable is obtained by Agrius in the subsequent stage of the attack through reliable file hosting services like 'ufile.io' and 'easyupload.io.'
The C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), creating distinct encryption keys for each file and appending encrypted metadata at their conclusion. This process begins immediately after the target files are launched.
In the instances observed by Check Point, the ransomware only targeted "F:User Shares," a typical shared folder on business networks used to hold company records, databases, and other items pertaining to collaboration.
This focused targeting suggests that Moneybird is more interested in disrupting business than in locking down the affected machines.
Since the private keys used to encrypt each file are produced using information from the system GUID, file content, file path, and random integers, Check Point argues that data restoration and file decryption would be incredibly difficult.
Following the encryption, ransom notes are left on the affected systems, advising the victim to click the provided link within 24 hours for instructions on data recovery.
"Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H," reads the Moneybird ransom note.
Moneybird is thought to be ransomware, not a wiper, in contrast to earlier assaults connected to Agrius, and it is intended to generate money to support the threat actors' nefarious activities.
However, in the case observed by Check Point Research, the ransom demand was so high that it was understood from the beginning that a payment would probably not be made, effectively rendering the attack harmful.
"Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper," stated Eli Smadga, Research Group Manager at Check Point Research.
An easy-to-use but powerful ransomware
According to Check Point, Moneybird depends on an embedded configuration blob rather than command-line parsing, which would enable victim-specific customizations and increased deployment flexibility.
Because the ransomware's behaviour parameters are pre-defined and difficult to customise for each target or situation, the strain is inappropriate for mass marketing efforts.
But for Agrius, Moneybird remains a powerful instrument for business disruption, and future advancements that result in the release of newer, more powerful versions may make it a serious danger to a wider variety of Israeli organisations.