Our AI writing assistant, WriteUp, can assist you in easily writing any text. Click here to experience its capabilities.

Iranian hackers use new Moneybird ransomware to attack Israeli orgs

View Original View Raw

Summary

A suspected Iranian threat actor called 'Agrius' has been targeting entities in Israel and the Middle East since 2021. Check Point's researchers have discovered a new ransomware strain called Moneybird, which they believe was developed by Agrius to help expand their operations. Moneybird is deployed by exploiting vulnerabilities in public-facing servers and using open-source tools to gain access to corporate networks. The ransomware strain encrypts files with AES-256 and GCM encryption and drops a ransom note demanding payment within 24 hours. Check Point believes Moneybird is meant to generate revenue for the threat actors, but the ransom demand is so high that it is unlikely to be paid. Moneybird lacks command-line capabilities, making it unsuitable for mass campaigns, but it is still an effective tool for business disruption.

Q&As

Who is the suspected Iranian state-supported threat actor deploying the new Moneybird ransomware?
The suspected Iranian state-supported threat actor deploying the new Moneybird ransomware is known as 'Agrius'.

What tactics does Agrius use to gain access to corporate networks and deploy the Moneybird ransomware?
Agrius gains access to corporate networks by exploiting vulnerabilities in public-facing servers and deploys variants of ASPXSpy webshells hidden inside "Certificate" text files.

How does Moneybird encrypt target files?
Moneybird encrypts target files using AES-256 with GCM (Galois/Counter Mode), generating unique encryption keys for every file and appending encrypted metadata at their end.

What is the purpose of Moneybird ransomware?
The purpose of Moneybird ransomware is to generate revenue to fund the threat actors' malicious operations.

What capabilities does Moneybird lack that could make it a more formidable threat?
Moneybird lacks command-line parsing capabilities that allow victim-specific configurations and more deployment versatility.

AI Comments

👍 This article provides an in-depth look at the new Moneybird ransomware strain and how it is being used by the Iranian threat actor Agrius to target Israeli organizations. The article offers a comprehensive overview of the attack tactics used by Agrius, providing valuable insight into how they gain access to corporate networks and the methods they use to deploy ransomware.

👎 The article fails to provide any advice on how to protect against Moneybird ransomware attacks, leaving readers without any practical steps to take to protect their systems. Additionally, the article does not provide any information on how to recover from a Moneybird attack in the case that an organization is targeted.

AI Discussion

Me: It's about a new ransomware strain called Moneybird that is believed to be developed by an Iranian state-supported threat actor. They are using it to target Israeli organizations by exploiting vulnerabilities in public-facing servers and then using open-source tools to gain access to the networks. The ransomware is designed to cause business disruption and is very difficult to decrypt.

Friend: Wow, that's really concerning. It's scary to think that these hackers are able to target organizations so easily and cause such disruption. It also makes me wonder what other malicious activities they are capable of doing.

Me: Yeah, it's a real threat that they can access corporate networks and cause so much disruption. It's also concerning to think about how many other organizations could be targeted by the same hackers. It's important that organizations take the necessary steps to protect themselves and make sure their networks are secure.

Action items

Ensure that all public-facing servers are regularly updated and patched to prevent exploitation by malicious actors.
Implement a comprehensive security strategy that includes network segmentation, multi-factor authentication, and regular vulnerability scans.
Educate employees on the importance of recognizing phishing emails and other social engineering tactics used by threat actors to gain access to corporate networks.

Technical terms

Ransomware: A type of malicious software that encrypts a victim's files and demands a ransom payment in exchange for the decryption key.
Data Wipers: Malicious software that erases data from a computer or storage device.
Check Point Researchers: A team of security researchers from Check Point, a cybersecurity company.
Webshells: A type of malicious code that allows attackers to remotely control a compromised system.
SoftPerfect Network Scanner: A network scanning tool used to identify vulnerable systems on a network.
Plink/PuTTY: A secure communication tool used to connect to remote systems.
ProcDump: A tool used to steal credentials from a system.
FileZilla: A file transfer protocol (FTP) client used to exfiltrate data.
AES-256 with GCM (Galois/Counter Mode): An encryption algorithm used to encrypt files.
System GUID: A unique identifier assigned to a computer system.
Ransom Note: A message left by attackers demanding a ransom payment in exchange for the decryption key.
Double-Extortion Attacks: A type of ransomware attack where attackers threaten to publish stolen data if the ransom is not paid.