Iranian threat actor known as agrius It utilizes a new ransomware strain called gold bird In attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of launching destructive data wipe attacks targeting Israel under the guise of a ransomware infection.
Microsoft attributes the attackers to the Iranian Ministry of Information Security (MOIS), which also runs MuddyWater. Known to be active since at least December 2020.
In December 2022, the hacking team was implicated in a series of destructive intrusion attempts targeting the diamond industry in South Africa, Israel, and Hong Kong.
These attacks used a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++.
Check Point researchers Mark Salinas Fernandez and Ili Vinopal said, “The use of the new ransomware, written in C++, encourages the group’s continued efforts to expand its capabilities and develop new tools. It is indicative and worthy of attention,” he said.
The infection sequence begins with the exploitation of a vulnerability within an Internet-facing web server, leading to the deployment of a web shell called ASPXSpy.
In subsequent steps, the web shell is used as a conduit to deliver publicly known tools to perform reconnaissance of the victim environment, move laterally, acquire credentials, and exfiltrate data.
It also runs Moneybird ransomware on compromised hosts. This ransomware is designed to encrypt sensitive files in the “F:\User Shares” folder and drop a ransom note asking companies to risk exposing stolen information if they do not contact them within 24 hours. It has been.
The researchers said, “The use of new ransomware shows that attackers are making additional efforts to harden their capabilities and step up their attribution identification and detection efforts.” “Despite these new ‘covers’, the group continues to follow normal behavior and utilize the same tools and techniques as before.”
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Agurius is not the only Iranian state-backed organization engaged in cyber operations targeting Israel. A Microsoft report last month revealed that MuddyWater was working with another cluster called Storm-1084 (aka DEV-1084) to deploy his DarkBit ransomware.
The findings also reveal that at least eight websites associated with Israeli shipping, logistics and financial services companies were compromised as part of a watering hole attack organized by the Iran-linked Tortoiseshell Group, ClearSky reveals. It was announced in conjunction with the
In a related development, Proofpoint has targeted Muddywater as part of a phishing campaign aimed at launching supply chain attacks against downstream customers by a regional managed service provider (MSP) in Israel. revealed that it has become
The enterprise security firm also highlighted escalating threats to small and medium-sized businesses (SMBs) from sophisticated threat groups. These threats have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft.
