The Iranian threat actor is known as Agrius taking advantage of a new ransomware strain called moneybird in its attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of carrying out destructive data deletion attacks aimed at Israel under the guise of ransomware infections.
Microsoft linked the threat actor to Iran’s Ministry of Intelligence and Security (MOIS), which also operates MuddyWater. It is known to be active since at least December 2020.
In December 2022, the hacking crew was linked to a series of disruption attempts directed against the diamond industry in South Africa, Israel and Hong Kong.
This attack involves the use of a .NET-based wiper-turned-ransomware called.NET Apostle and its successor is known as Fantasy. Unlike Apostle, Moneybird is programmed in C++.
“The use of the new ransomware, written in C++, is noteworthy, as it demonstrates the group’s growing capabilities and ongoing efforts to develop new tools,” Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said.
The infection sequence begins with the exploitation of a vulnerability in an internet exposed web server, leading to the deployment of a web shell known as ASPXSpy.
In the next step, the web shell is used as a conduit to deliver publicly known tools to perform reconnaissance of the victim’s environment, move laterally, gather credentials, and extract data.
Also running on compromised hosts was the Moneybird ransomware, which was engineered to encrypt sensitive files in the “F:\User Shares” folder and dropped a ransom note urging the company to contact them within 24 hours or risk leaking their stolen information.
“The use of the new ransomware represents additional efforts by actors to improve capabilities, as well as strengthen attribution and detection efforts,” the researchers said. “Despite this new ‘cover’, the group continues to follow its usual behavior and uses similar tools and techniques as before.”
Agrius is far from the only Iranian state-sponsored group involved in cyber operations targeting Israel. A report from Microsoft last month revealed MuddyWater’s collaboration with another cluster dubbed Storm-1084 (aka DEV-1084) to deploy DarkBit ransomware.
The findings also come as ClearSky disclosed that no fewer than eight websites linked to shipping, logistics, and financial services companies in Israel were compromised as part of a waterhole attack orchestrated by the Iran-linked Tortoiseshell group.
In a related development, Proofpoint revealed that a regional managed service provider (MSP) in Israel had been targeted by MuddyWater as part of a phishing campaign designed to initiate supply chain attacks against their downstream customers.
The enterprise security firm further highlighted the increasing threat to small and medium enterprises (SMEs) from sophisticated threat groups, which have been observed leveraging compromised SME infrastructure for phishing campaigns and financial theft.