An elusive cyber threat actor with alleged ties to the Iranian state, recognized as ‘Agrius,’ has recently unleashed their formidable weapon called ‘Moneybird’ upon Israeli establishments.

This latest Ransomware strain has relentlessly targeted organizations in Israel and the wider Middle East region since at least 2021. Concealing their malevolent activities behind various aliases, Agrius has not hesitated to unleash data wipers in their destructive assaults, leaving a trail of havoc in their wake.

Remarkably, cybersecurity experts from Check Point have unearthed evidence pointing to Agrius as the mastermind behind ‘Moneybird,’ suggesting that this novel ransomware variant amplifies their sinister endeavors and obfuscates their true identities.

The Moneybird Ransomware

Exploiting vulnerabilities in public servers, Agrius gains initial access to corporate networks, as identified by Check Point researchers. To maintain their anonymity, the threat actors utilize Israel-based ProtonVPN nodes while employing ASPXSpy webshells concealed within “Certificate” text files—a technique previously employed by Agrius.

Once the webshells are deployed, the attackers employ open-source tools such as SoftPerfect Network Scanner for network reconnaissance, Plink/PuTTY for secure communication, ProcDump for credential stealing, and FileZilla for data exfiltration.

In the subsequent phase of the assault, Agrius retrieves the Moneybird ransomware executable from legitimate file hosting platforms like ‘ufile.io’ and ‘easyupload.io.’

The advanced C++ ransomware variant targets files that undergo encryption with AES-256 and GCM (Galois/Counter Mode). Unique encryption keys are generated for each file, and the encrypted metadata is appended at their conclusion, enhancing the strain’s complexity.

Check Point researchers observed a specific focus on “F:\User Shares” in their investigations—a shared folder commonly utilized in corporate networks for storing collaborative materials, corporate documents, and databases.

This targeted approach suggests that Moneybird aims primarily to disrupt business operations rather than solely immobilize affected computers.

Check Point further elaborates that restoring data and decrypting files would pose significant challenges, as the private keys employed for encryption are derived from a combination of the system GUID, file content, file path, and random numbers.

Following the encryption process, the targeted systems are confronted with ransom notes, compelling the victims to visit a designated link within a tight 24-hour window to receive instructions for data restoration.

A noteworthy distinction from Agrius’ prior assaults, Moneybird is presumed to be a revenue-generating ransomware strain, in contrast to a data wiper, designed to fund the threat actors’ nefarious activities. However, in the incident analyzed by Check Point Research, the ransom demanded was exorbitantly high, rendering the probability of payment highly unlikely, effectively transforming the attack into a purely destructive endeavor.

According to Check Point’s analysis, Moneybird stands out due to its absence of command-line parsing functionalities, which restricts victim-specific configurations and reduces its deployment flexibility.

Instead, the ransomware relies on an embedded configuration blob, implying that its behavioral parameters are predetermined and cannot be easily tailored for individual targets or specific scenarios. Consequently, this strain is ill-suited for large-scale campaigns.

Nevertheless, for Agrius, Moneybird remains a potent tool for disrupting business operations. Considering the potential for future advancements and the release of more sophisticated iterations, this ransomware variant may evolve into a significant menace targeting a wider array of Israeli organizations.