A suspected Iranian state-supported threat actor known as ‘Agrius’ is now deploying a new ransomware strain named ‘Moneybird’ against Israeli organizations.
Agrius has been actively targeting entities in Israel and the Middle East region since at least 2021 under multiple aliases while deploying data wipers in destructive attacks.
Check Point’s researchers who discovered the new ransomware strain believe that Agrius developed it to help expand their operations, while the use of ‘Moneybird’ is yet another one of the threat group’s attempts to cover their tracks.
Moneybird attacks
Check Point researchers say the threat actors initially gain access to corporate networks by exploiting vulnerabilities in public-facing servers, giving Agrius an initial foothold within the organization’s network.
Next, the hackers hide behind Israel-based ProtonVPN nodes to deploy variants of ASPXSpy webshells hidden inside “Certificate” text files, a tactic that Agrius has used in previous campaigns.
Having deployed the webshells, the attackers proceed to use open-source tools that help in network reconnaissance using SoftPerfect Network Scanner, lateral movement, secure communication using Plink/PuTTY, credential stealing with ProcDump, and the exfiltration of data using FileZilla.
In the next phase of the attack, Agrius fetches the Moneybird ransomware executable from legitimate file hosting platforms like ‘ufile.io’ and ‘easyupload.io.’
Upon launch, the C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), generating unique encryption keys for every file and appending encrypted metadata at their end.
In the cases seen by Check Point, the ransomware only targeted “F:User Shares,” a common shared folder on corporate networks used to store corporate documents, databases, and other collaboration-related files.
This narrow targeting indicates that Moneybird aims more at causing business disruption than locking down the impacted computers.
Check Point explains that data restoration and file decryption would be extremely challenging since the private keys used for encrypting each file are generated using data from the system GUID, file content, file path, and random numbers.
After the encryption, ransom notes are dropped on the impacted systems urging the victim to follow the provided link within 24 hours for directions on restoring their data.
“Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H,” reads the Moneybird ransom note.
Unlike previous attacks linked to Agrius, Moneybird is believed to be ransomware, rather than a wiper, meant to generate revenue to fund the threat actors’ malicious operations.
However, in the case seen by Check Point Research, the ransom demand was so high that it was known from the start that a payment would unlikely be made, making the attack essentially destructive.
“Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper,” Eli Smadga, Research Group Manager at Check Point Research, told BleepingComputer.
A simple, but effective, ransomware
Check Point explains that Moneybird lacks command-line parsing capabilities that allow victim-specific configurations and more deployment versatility and instead relies on an embedded configuration blob.
This means the ransomware’s behavior parameters are pre-defined and cannot be easily adjusted for each target or circumstance, making the strain unsuitable for mass campaigns.
For Agrius, however, Moneybird is still an effective business-disruption tool, and further development leading to the release of newer, more capable versions might make it a formidable threat to a broader range of Israeli organizations.