Iranian Hackers Deploy New Ransomware Against Israeli Firms

Security researchers have discovered an Iran-linked APT group carrying out a new chain of ransomware attacks using a new strain of malware against Israeli organizations.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

Researchers at Check Point found a ransomware strain called Moneybird that is reminiscent of the Iranian Agrius group’s previous campaigns.

Agrius gained notoriety for targeting Israel-based entities with wiper variants, masking the intrusions as ransomware attacks to confuse defenders.

According to Check Point investigators, the new Moneybird strain is an upgrade to previous Agrius attacks that used its custom-built Apostle wiper malware. The upgrade is indicative of the group’s relentless expansion efforts. “The use of a new ransomware written in C++ is noteworthy as it demonstrates the group’s expanding capabilities and ongoing effort in developing new tools,” Check Point said.

The latest attack involves web shells positioned on vulnerable servers using known VPN service nodes, which are used as the entry point. Following the deployment of web shells, the threat actor used several publicly available tools to move laterally through the affected system.

The malicious files are then downloaded for ransomware execution and data exfiltration activities through some common services.

Other tools are also deployed for similar intentions, such as…