Iran-linked threat actor Agrius targets Israeli organisations with new ransomware, researchers claim

Researchers from Check Point have discovered that an Iran-linked advanced persistent threat (APT) group has developed and deployed a new ransomware variant named ‘Moneybird’ to target Israeli organisations. The group, known as Agrius or BlackShadow, has a history of targeting Israeli organisations, including Shirbit Insurance and Bar-Ilan University, with ransomware and wiper attacks. Moneybird represents a shift in their tactics, as most previous attacks were carried out using ransomware called Apostle. The use of new ransomware written in C++ showcases the group’s growing capabilities and ongoing effort to develop new tools.

Check Point’s investigators noted that the techniques employed by the group, despite the new ransomware payload, bear the signature of Agrius. The threat actors gain access through public-facing web servers, utilising unique variants of ASPXSPY, a malicious script hidden within ‘Certificate’ text files. Once inside the network, they conduct reconnaissance, exfiltrate data, and utilise targeted paths that program the ransomware to ignore most files on the network. The researchers emphasise the importance of maintaining good network hygiene to prevent such attacks.

A recent report from Microsoft Threat Intelligence highlighted that the Iranian government is increasingly combining influence operations with cyberattacks. They attributed 24 cyber-enabled operations to the Iranian government in the past year, an increase from seven the previous year, with a corresponding decline in ransomware and wiper attacks associated with Agrius.