Iranian threat actor known as agrius It utilizes a new ransomware strain called money bird In attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of launching destructive data wipe attacks targeting Israel under the guise of a ransomware infection.
Microsoft has attributed the attackers to the Iranian Ministry of Information Security (MOIS), which also runs MuddyWater. Known to be active since at least December 2020.
In December 2022, the hacking team was implicated in a series of destructive intrusion attempts targeting the diamond industry in South Africa, Israel, and Hong Kong.
These attacks used tools called .NET-based wipers and ransomware. Apostle And its successor is known as fantasy. Unlike Apostle, Moneybird is programmed in C++.
Check Point researchers Mark Salinas Fernandez and Ili Vinopal said, “The use of the new ransomware written in C++ is noteworthy, as it expands the group’s capabilities and continues in the development of new tools. It’s a sign of hard work,” he said. Said.
The infection sequence begins with the exploitation of a vulnerability within an Internet-facing web server, leading to the deployment of a web shell called ASPXSpy.
In subsequent steps, the web shell is used as a conduit to deliver publicly known tools to perform reconnaissance of the victim environment, move laterally, acquire credentials, and exfiltrate data.
It also runs Moneybird ransomware on compromised hosts. This ransomware is designed to encrypt sensitive files in the “F:\User Shares” folder and drop a ransom note asking companies to risk exposing stolen information if they do not contact them within 24 hours. It has been.
The researchers said, “The use of new ransomware shows that attackers are making additional efforts to harden their capabilities and step up their attribution identification and detection efforts.” “Despite these new ‘covers’, the group continues to follow normal behavior and utilize the same tools and techniques as before.”
Agurius is not the only Iranian state-backed organization engaged in cyber operations targeting Israel. A Microsoft report last month revealed that MuddyWater was working with another cluster called Storm-1084 (aka DEV-1084) to deploy his DarkBit ransomware.
The findings also reveal that at least eight websites associated with Israeli shipping, logistics and financial services companies were compromised as part of a watering hole attack organized by the Iran-linked Tortoiseshell Group, ClearSky reveals. It was announced in conjunction with the
In related development, Proofpoint clearly A regional managed service provider (MSP) in Israel has reportedly been targeted by MuddyWater as part of a phishing campaign aimed at launching supply chain attacks against downstream customers.
The enterprise security firm also highlighted escalating threats to small and medium-sized businesses (SMBs) from sophisticated threat groups. These threats have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft.