Iran-Linked Hackers Deploy New Ransomware Against Israeli Organizations

A group linked to Iran is using new ransomware against a Middle Eastern adversary, researchers said.

The group calling itself Moneybird allegedly deployed the ransomware against Israeli organizations, CheckPoint's Incident Response Team investigated.

Researchers found that it resembled Agrius, a hacker group that has been around since 2020 and disguised itself with aliases like BlackShadow.

In late 2020, the group released ransomware on Shirbit, an Israeli insurance company. It also released wiper attacks on Bar-Ilan University in 2021.

Researchers at CheckPoint report that Moneybird is a new product for the group. Previous attacks were mostly carried out using ransomware known as Apostle.

Though the researchers didn't specify what types of organizations were targeted, they emphasized that the techniques used were Agrius-approved.

Threat actors gained entry via public-facing web servers and “unique variants of ASPXSPY” -- a malicious script hidden inside a “Certificate” text file.

It then moved laterally within networks, conducting reconnaissance and exfiltrating data. CheckPoint reports that the group uses "targeted paths," which allow the ransomware to disregard most files within targeted networks.

“Moneybird, like many other ransomwares, is a grim reminder of the importance of good network hygiene, as significant parts of the activity could have been prevented early on,” the researchers said.

According to Microsoft Threat Intelligence, the Iranian government is increasingly combining influence operations with cyberattacks.

Last year, they identified 24 "cyber-enabled operations" linked to the Iranian government, compared to seven the year before, and found a decline in the types of ransomware and wiper attacks Agrius usually employs.