A threat actor group in Iran known as Agrius, formerly known as Americium, has been linked to the Ministry of Intelligence and Security (MOIS). They have been active since December 2020, and have recently been observed using a new ransomware strain called Moneybird in attacks against Israeli organizations. Moneybird is programmed in C++, a departure from the .NET-based wiper-turned-ransomware Apostle and its successor Fantasy which were used in disruptive intrusions against diamond industries in South Africa, Israel, and Hong Kong.
The infection sequence begins with the exploitation of vulnerabilities in internet-exposed web servers, followed by the deployment of a web shell called ASPXSpy. This is used to perform reconnaissance, move laterally, harvest credentials, and exfiltrate data, as well as execute the Moneybird ransomware. Moneybird is designed to encrypt sensitive files in the “F:\User Shares” folder, and drop a ransom note urging the company to contact them within 24 hours or risk having their stolen information leaked.
The use of Moneybird is indicative of Agrius’ expanding capabilities and efforts to harden attribution and detection. However, they continue to use similar tools and techniques as before. Agrius is just one of several Iranian state-sponsored groups targeting Israel, including MuddyWater and Tortoiseshell. These groups have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft, and are increasingly targeting small and medium-sized businesses.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.